DevOps defence: three practical considerations to help dev teams follow “shifting left” principles

by

Mark Troester

-

4 months ago

Get ready to explore the future of marketing and elevate your business! The ‘What’s NEXT in Marketing 2024-2025’ series is heading to Indonesia, Malaysia, the Philippines, Singapore, and Hong Kong. Don’t miss out!

Now that automation and artificial intelligence (AI) are enabling developers to create software and apps at scale, and at a faster pace than ever before, the question of security integration has become even more critical.

Australia’s data breach costs have jumped to AUD $3.82 million over the past five years. Yet, it seems that security remains a major hurdle for dev teams: our last DevSecOps research showed that 60% of Australian developers and IT decision makers don’t fully understand how security fits into DevSecOps.

The threat of real-world challenges and risks associated with late-stage security implementation means that dev team leaders need proven strategies and best practices to integrate security measures more seamlessly in the development lifecycle.

Intricacies of DevSecOps: embedding security needs a “shift left” approach

Contrary to common belief, vulnerable or outdated components, authentication issues or sophisticated phishing attacks creating vulnerabilities aren’t to blame for security issues.

Oftentimes, it is simply configuration errors that are the culprit: a staggering 80% or more of ransomware attacks can be traced to common configuration errors in software and devices.

Now, taking a stand-alone security approach isn’t fit for purpose here, it can actually really make things worse by slowing down the production process – i.e. if development teams go from development to QA to staging and only then insert a security review.

This type of approach pushes things downstream, which in turn greatly increases the cost, time and effort to address issues at the end of the development cycle rather than doing it earlier.

Shift-left security and compliance in DevOps involves checking for security issues earlier in the development process, allowing developers to identify coding issues and fix defects quicker before they become more difficult to manage.

What about scale?

The scale at which enterprises need to operate today is adding to the complexity of ensuring high levels of security throughout the development lifecycle.

Scale isn’t just about the number of physical devices or servers. Tech ecosystems can comprise multiple clouds and various device types that require support and span across multiple user and computer capacity locations.

A growing number of compliance and security standards also need to be assessed and managed, which can end up becoming a tall order for dev teams.

Three practical considerations effective DevSecOps and compliance

  1. The continuous compliance approach

This is about confirming the initial development configuration to help protect against drifts as the dev team moves forward. With this approach, the security of the software development life cycle (SDLC) can be elevated by constantly verifying whether configuration drift has been detected and remediated.

Continuous automation makes this possible at scale across Dev, Test and Prod environments.

  1. A place for both human and automation zones

While humans are responsible for developing the app or the software, automation is the best ally when it comes to performing routine actions, backed-up by a two-person rule which is a sensible code review process.

Setting up an automation zone can start with a series of actions, such as committing to some kind of code repository, and triggering an automation server to build it. Then, it begins deploying and pushing the changes through to the appropriate environment. The user is then partially removed from the process and will be notified if something goes wrong or if they must be involved in the approval process.

This combination of human-assisted automation reduces human errors and frees users to work on higher-level, more interesting work.

  1. Human-readable, machine-enforceable policies driving automation at scale

Achieving automation at scale extends the concept of infrastructure as code (IaC) to policy as code (PaC), moving from managing security and compliance rules with spreadsheets to defining the policies using human-readable code that is enforceable using machine automation.

In graduating to a policy-as-code approach, DevOps teams are not only performing automated configuration management, but they are also conducting automated continuous policy checks and remediation.

At the end of the day, it’s really all about bolstering security throughout the development lifecycle and doing it at scale. For DevOps leaders, the advantages of adopting a best practice approach for handling security earlier in the DevOps process are clear.

By embedding security in the DevOps process, as well as using the right technology framework based on shifting left practices, organisations can promote innovation and maximise security efforts.

This article is written by Mark Troester, Vice President of Strategy, Progress

The insight is published as part of UPTECH MEDIA’s thought leadership piece, written within its repository of contributor articles.

UPTECH MEDIA welcomes partner article contributions about the latest technology trends in the Asia-Pacific region. For inquiries and submissions, please send them to [email protected].

 

Happening in Singapore on 19-20 February 2025, the ‘What’s NEXT in Marketing: Singapore 2025’ event presents an exceptional opportunity for marketers and industry leaders to talk about the future of marketing and drive success in the Singaporean market! Register now to secure your slot!
Join MARKETECH APAC and Bird for the ‘WhatsApp Marketing Masterclass‘ workshop and unlock effective strategies to engage and retain customers. Happening on 5 December 2024 at Sheraton Petaling Jaya, Malaysia—register your interest HERE!
Share

RECENT ARTICLES

Zendesk welcomes Mitch Young as senior vice president for APAC
Valiram taps Atome to streamline payment checkout processes in SG, MY
Hitachi Vantara, Virtana partnership to advance hybrid cloud infrastructure with AI-driven automation
Infosys to elevate Kardex’s business operations, efficiency with SAP S/4HANA, cloud solutions
Thales incorporates Imperva’s risk, threat identification capabilities for enhanced data risk management
Ellipse 3

RELATED ARTICLES

CelcomDigi’s new AI experience centre to drive digital transformation, accelerate development using emerging tech (1)
Progress unveils latest application development features with GenAI integration, improved design system, accessible data visualisation_11zon
UPTECH MEDIA (20)
Ellipse 3

FEATURED ARTICLES

Tenable_Exclusive Interview_11zon
National Healthcare Group’s Matthew Chua on championing AI adoption, innovation across healthcare sector following recent appointment (1)
Tech in Focus How SUSE accelerates innovation, strengthens security across enterprise-grade products through open-source solutions_11zon

Subscribe to UpTech Media Newsletter

Video Title Here: The Indonesian on-ground activation status

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos.

Video Title Here: The Indonesian on-ground activation status

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos.

Video Title Here: The Indonesian on-ground activation status

Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium, totam rem aperiam, eaque ipsa quae ab illo inventore veritatis et quasi architecto beatae vitae dicta sunt explicabo. Nemo enim ipsam voluptatem quia voluptas sit aspernatur aut odit aut fugit, sed quia consequuntur magni dolores eos.