Skip to main content
Feb 20, 2019

Part 4: App Security Should Be An Integral Part Of Your DevSecOps Process — Not An Afterthought

How Arxan can help streamline and optimize your DevSecOps process

One of the most important factors to keep in mind when deploying a DevSecOps team is accurately maintaining the level of involvement both your developers and security team have together. Scheduling too many reviews or meetings will bog down the development process and cause timelines to slip and your application to miss its launch deadline.

A good rule of thumb is to integrate security reviews to coincide with product milestones, such as a sprint review. Major issues should still be identified by the developers and escalated to Product Management and the Security team for review, but typically these reviews can be used to assess any new features that have been completed for potential security flaws in their implementation.

Even after the release of an application, the security status once deployed should constantly be assessed, reviewed, and any weakness should be remediated. New features will constantly be added with each new release, and these features could in turn add new threats that can be exploited. Just because an application has left your organization’s walls and ventured into the wild does not mean your assessment process should end. A DevSecOps team should constantly be adapting in order to account for any new threats that were missed during development or have emerged from a previously considered “safe” attack surface.

One of the primary differentiators for Arxan’s Application Protection solutions is our Threat Analytics service. From the moment an app is deployed into a zero-trust environment, it will immediately start collecting data and sending alerts back when an app is downloaded onto a jailbroken or rooted device, when an app’s code is being reverse engineered or tampered with, and which guard is firing so you can understand exactly what an attacker is targeting within your application. Depending on the severity of the threat and the activity detected, Arxan can isolate an malicious activity within a walled garden to prevent the theft of confidential data, payment details, user credentials and more.

Additionally, one of the first things that a DevSecOps team encounters when attempting to integrate within the current development process is resistance to change.  All too often, the security vs. performance pendulum swings too far towards security when first starting out and this leaves developers feeling resentful towards this new “security-minded” approach. You want to avoid any sort of “takeover” approach when first starting out.

Arxan’s Application Protection solutions are designed not to interfere with the development lifecycle — and can be implemented during the build phase at the end of each sprint to ensure code is secure before deployment. Arxan offers a solution for teams trying to achieve this precious balance when just starting out on the DevSecOps journey — or as a best practice when new apps are development to begin with. With a new zero-configuration initial setup that does not disrupt continuous integration and continuous development (CI/CD), and DevSecOPs environments, Arxan can easily deploy a baseline set of protection guards with analytics enabled. This will ensure the app is protected upon release, and the analytics starts collecting data and enable the DevSecOps team to adjust and optimize protections based on the behavior it sees once the app is deployed.

To learn more about how Arxan can help, request a meeting.

Chris Mizell

Chris has spent 10 years in the application security space, with experience securing embedded, mobile and desktop-based applications. His work has spanned multiple industries including automotive, aviation, and financial services.

More from the Blog
Jan 30, 2019

Part 1: App Security Should Be an Integral Part of Your DevSecOps Process — Not an Afterthought

What are the key considerations and components of DevSecOps? The intention of DevSecOps is to build the mindset that everyon ...
Read more
Feb 06, 2019

Part 2: App Security Should Be An Integral Part Of Your DevSecOps Process — Not an Afterthought

How to start implementing a DevSecOps process As you may have read in our
Read more
Feb 13, 2019

Part 3: App Security Should Be An Integral Part Of Your DevSecOps Process — Not An Afterthought

Situations When DevSecOps Won’t Work Though DevSecOps is getting more popular by the day, and has many benefits to an organi ...
Read more