Aprico consultant logo

DevSecOps, the grail of agility

These days, a company’s success is measured by its agility, its ability to react to technological change, improve its competitiveness and conquer new markets. In the wake of the DevOps and NoOps methodologies, DevSecOps or the integration of IT security in the complete life cycle of applications seems to be a must.

In our previous blogs, we described why alignment between business and IT is essential, as it results in greater agility coming from the implementation of processes such as DevOps (close alignment between the development and IT operations teams) and NoOps (automation of deployment, monitoring and admin of applications and underlying infrastructure), associated with serverless and containers.

End to end
In the past, development and operations teams worked in sequence. The modern enterprise, however, can no longer afford weeks, months or perhaps even years to deploy new applications. Therefore, it is necessary to have both teams work closely together as part of an agile development strategy. Similarly, security can no longer be considered as a separate team, only joining the project at the very end of the design process. In fact, security becomes a shared responsibility, based on end-to-end integration: hence the concept of DevSecOps.

The DevSecOps concept aims to design application and infrastructure security from the very start of the design process, as well as to automate the workflow between the different teams as much as possible. That is why we talk about integrated security here, and not about the traditional security perimeter that protects applications and data. In the world of DevSecOps, security teams participate in defining and preventing potential threats from the very start of the project, and remain involved throughout the entire process. Cloud, container and micro-service technologies facilitate the integration of security features and ensure greater consistency of deployed solutions.

People and automation
When we look beyond the purely technological solution, it goes without saying that collaboration remains above all a question of people. As a result, it is necessary to put in place an environment that supports collaboration and communication, in order to detect any risk of vulnerability as soon as it occurs in the development process. Our consultants prefer a smooth transition: deploying a methodology in a small pilot team before scaling up, simplifying manual control processes, implementing continuous code testing, including business, development, security and operations teams in project governance, containerizing solutions to isolate the functions of a specific system, automating audit operations, and more.

DevSecOps also requires a new corporate culture, rethinking everyone’s responsibilities by dropping silos and creating a new model for team engagement. Surprising as it may seem, it is especially at the level of the security teams that this new approach will have to be appreciated and accepted, since security now becomes a joint responsibility and is no longer the exclusive field of a specialized team. DevSecOps counts on a type of security that is no longer based on controls (such as firewalls), but becomes context-aware. Indeed, because of the internet and the cloud, security is no longer limited to the perimeter of the organization.

A new paradigm
At all levels of the organization, the DevSecOps approach requires a change in culture and behaviour. Hence the obligation to involve senior management in this new approach, to make sure that IT and business are on the same page and communicate in full transparency. Ultimately, DevSecOps will reduce costs, shorten test phases and help manage the entire application life cycle.

As DevOps is growing rapidly (75% of respondents would have reached this level of maturity), a recent survey by Sonatype (‘DevSecOps Community Survey 2019’, conducted with some 6,000 IT professionals and developers) shows the integration of security remains insufficient.

To help clients throughout this transformation, Aprico Consultants collaborates with them to translate their companies’ strategies, objectives and constraints into pragmatic transformation programs that deliver real added value and a proven return on investment.

Aprico Consultants enables its customers to accelerate their digital transformation processes with the flexibility, performance and competitiveness they need to strengthen their position in the market. For more information on DevSecOps and our consultancy services, contact us: marketing@aprico-consult.com