DevSecOps: A Combined Approach to Application Security

Information technology is becoming a central component of an organization and will gain more attention in the decision-making process among stakeholders. Mobile, web, and desktop applications will be important frontline units in businesses, and consumers will expect the very best of them in all aspects — from user experience, visual design, functionality and of course, application security.

Why DevOps and SecOps are still separate entities

Technological advancements often warrant changes — some unexpected and initially seen as unconventional, or even seen as ‘bad practice’ at first. In computer science, each subdivision of the field has their own domain of responsibilities, expertise and point of view that were thought to work well separately, but work together in one production pipeline.

For example, the main priorities of DevOps is to ensure that software development meets product specification upon a tight launch schedule. DevOps have their own unique set of rules and approaches in order to achieve this, and will not add any features that are not part of the main functionality — oftentimes, application security is set aside to be worked on by the next team, the SecOps.

The SecOps then would scrutinize the software through security lenses. Oftentimes, they have an additional work of modifying a tiny portion of code that the DevOps have set as a placeholder in place of the security snippets. This way that has been done for a long time is time efficient, but there is always a risk of hidden bugs that can be exploited.

High-security high-quality applications will be the norm

Prioritizing speed over seamless bug tracking has been the norm for the majority of digital industries, from entertainment to banking. A major game company, for example, has had a PR issue as their customers saw that bugs appear as frequently as new games are being released by that company. On the opposite end of the spectrum, banking applications are heavily invested in security that user experience can potentially be overlooked.

DevSecOps, an approach that dwells in the intersection between software development and application security, attempts to create a more flexible environment where developers and data security auditors can freely collaborate with one another beyond the linear pipeline model of today’s digital industry.

Security as Code

DevSecOps requires a shift in attitude and mindset towards development. Security must be integrated within the CI/CD cycle. As stated in the DevSecOps Manifesto in their official website, developers must commit to creating hack-proof prototypes from the very beginning. Security must be part of the design DNA, not as a protective jacket.

Therefore, security must be embedded alongside with the ‘core functionality codes’ in order to reduce the risk of exploitation. Teams must commit to this mindset, even if it appears to be disruptive to ‘normal’ pacing of the development cycle.

Application Security is one of the services that Xynexis International is willing to help developers. Together, we will collaborate to provide guidance and security protocol that can efficiently fuse with the core functionality of your application. Our assessment reports from penetration testing, for example, can offer insight to security weaknesses in your applications. You will be able to use these reports as a basis to take remedial actions with minimal efforts.

Learn more about application security by Xynexis International.