Four benefits of a DevSecOps approach to innovation
According to recent research from Cisco AppDynamics — “The shift to a security approach for the full application stack” — which surveyed 1,150 IT professionals interviewed across 13 markets worldwide, including here in the UAE, all UAE technologists that responded to the survey admit that the rush to rapidly innovate and respond to the changing needs of customers and users has come at the expense of robust application security during software development. Based on this research, James Harvey, Executive CTO, EMEA at Cisco AppDynamics, has penned an article detailing the four benefits of a DevSecOps approach to innovation.
Across all sectors, organisations have rapidly accelerated their application development over the past two years, to respond to the constantly evolving needs of customers and employees, and deliver ever more personalised and intuitive digital experiences. Technologists have taken advantage of cloud native technologies and low-code and no-code platforms to accelerate release velocity and build more dynamic applications across more platforms.
However, in many IT departments, application security simply hasn’t kept pace with the speed of innovation. The sheer volume of applications spread across multiple entities has made monitoring security throughout the DevOps pipeline extremely challenging and the reality is that security teams are often deliberately excluded from the development phase, due to fears that they will slow things down.
In the latest research from Cisco AppDynamics, ‘The shift to a security approach for the full application stack’, all surveyed technologists from the United Arab Emirates (UAE) admitted that the rush to rapidly innovate and respond to the changing needs of customers and users during the pandemic has come at the expense of robust application security during software development.
As a result, technologists are all too aware that applications are now increasingly vulnerable to new and emerging cybersecurity threats across a rapidly expanding attack surface. And the implications of this are potentially crippling — organisations risk significant service disruption and outages which could lead to loss of customers, reputation and revenue.
In response, technologists are recognising an urgent need for greater collaboration between development and security teams and therefore moving towards a DevSecOps approach. And the benefits of DevSecOps, where security is embedded throughout the development lifecycle, are potentially game-changing.
A need for collaboration between development and security teams
The biggest issue for many IT departments is that security teams don’t have any input until the very end of the development pipeline. In fact, in more than a third of UAE organisations (36%), ITOps teams only collaborate with security teams when there is a potential issue, if at all.
This siloed approach leads to poor reaction times to resolve security incidents and poor application performance. And ultimately it means organisations are more likely to suffer from security blind spots or gaps in their security protection.
This is why increasing numbers of IT departments are shifting towards a DevSecOps approach, so that application security and compliance testing are incorporated into the software development lifecycle from day one.
The shift to DevSecOps requires new tools and relies heavily on automation to detect and block security issues at runtime, embedding Artificial Intelligence (AI) into application security processes. But just as important is the required cultural shift to built-in security, so that ITOps and security teams operate side-by-side, supporting, understanding and appreciating the other’s contribution.
Technologists now regard a DevSecOps approach as essential to protect against a multi-staged security attack on the full application stack. And encouragingly, organisations are already making significant progress in shifting to this new way of working. 49% of IT departments in the Emirates have already started taking a DevSecOps approach and a further 48% are currently considering making the shift.
The benefits of DevSecOps
The research highlights four key benefits of a DevSecOps approach for technologists and their organisations.
- Improved security and reduced risk
DevSecOps makes security a shared responsibility and forces developers to identify and prioritise security issues at every step. It results in more secure products and better security management, before, during and after release.
- Faster development times and accelerated innovation
Automation is key to a successful DevSecOps strategy. Robust automation strengthens security postures using artificial intelligence (AIOps), identifying threats and resolving them independent of an admin. This reduces human error, increases efficiency, and drives greater agility in development — enabling teams to ship and deploy applications even faster. Organisations can strengthen their security posture and scale security operations, without sacrificing speed.
- Improved collaboration
A siloed approach makes it incredibly difficult to balance competing priorities for speed, performance and security, and this can eventually affect morale and performance within teams. Collaboration enables technologists to make new connections, learn new skills and become more rounded professionals. And it makes for a more inclusive and enjoyable environment.
- Improved code quality through involvement of security teams
DevSecOps avoids the situation where security considerations delay applications going live at the very last minute or, even worse, where vulnerabilities are only identified once the application has been released. By “shifting left” and introducing security testing earlier in the development process, security teams can analyse and assess security risks and priorities during planning phases to set the foundation for development.
With technologists in the UAE coming under ever greater pressure to increase release velocity, the shift to a DevSecOps is now urgent. IT teams need to ensure they have the tools, structures and processes to take a more proactive approach to application security throughout the application lifecycle.