The global paradox
Software is the king and developers are the kingmakers. This statement indicates the growing demand for software, as the current business transformation requires interaction with computers or computer-assisted objects. This omnipresent computing has the potential to uptrend the incentives for misuse, thereby increasing the risk portfolio especially towards software. In the thick of things lies agile software development, a methodology rapidly adopted by organizations developing software. Being responsive to change, and delivering software at speed is the main essence of agile methodology. Security both as a process and as a technology requires intense planning and detailed analysis in order to arrive at the desired result. Even some of the best practices and frameworks encourage security testers to adopt manual intrusive approach for the best outcome. This brings us to the global paradox - whether to deliver software at high velocity, which propelled the need for competitiveness in the current marketplace, or focus on imperative security challenge to deliver secure software, perceived to have negative influence on the velocity.
Defining new approach
We should understand that the state of security today is similar to the state of operations back when DevOps was at its nascent phase.
The velocity of change does create a major challenge and requires a new way of thinking about security. To ensure seamless alignment to agile methodology and integration with DevOps, a change in approach is required in the following aspects:
Approach security as a journey, not a destination - this means developing a progressive security program. The program should not only focus on the technical aspects but also create the right framework that fits the business objective of the organization. To create such a framework, it is important to understand the eco-system governing the organization in terms of people, process, and technology. The below section enumerates best practices to adopt for building an effective and robust DevSecOps framework encompassing the golden triad:
Fig. 1: Framework
The get-go for any successful implementation of a program are people – they are the starting point. The idea is to create a common goal among development, security, and operations by building the right culture and developing the required skillset to achieve the collective objective.
Organizations have to create acceptable and repeatable process to facilitate secure development and deployment without comprising the objective of faster delivery.
DevSecOps provides a new spin to technology driving more automation and innovation. There is a demand to both create new and extend the existing tool sets to cater not only to the security professional but also the developers.
DevSecOps as a practice is getting increasing popular as organizations look to tackle ever-evolving challenges in security. Imparting the agile mindset in security is challenging as it conflicts the well-known and agreed methodical approach. However, the transformation is dependent on how people, process, and technology can be brought together to achieve overall business objectives in this new paradigm. This calls for defining a new philosophy towards security thereby bringing an inclusive culture and building the right set of process and technology. In this era of digital transformation, security should be an influencing factor along with agility, availability, and scalability.
Sriram Krishnan - Practice head, Cybersecurity & Risk Services, Wipro Ltd.
Sriram Krishnan is currently the Practice Head for Security Assurance Services within Wipro's Cybersecurity and Risk Services (CRS) division. He has over 13 years of experience in strategizing, leading, and implementing cyber security initiatives in organizations across product development, banking and big 4 consulting. He has worked and managed projects relating to Secure SDLC, threat modelling, secure coding, and penetration testing, and has advised on security best practices for global clients in telecom, technology, banking and financial services, and public sector. Sriram holds a Master’s degree in Computer Application from Anna University and has completed the Chief Information Security Officer (CISO) Executive Education Program from the Carnegie Mellon University.
He can be reached at email@example.com