careers spotlight

Drive2Cloud: How to quickly build secure applications in the cloud with DevSecOps?

5 minute read 09 May 2023

The DevSecOps methodology allows you to include IT security requirements in the development process in a way that minimizes risks without slowing down the pace of delivering new products.

How did the evolution of application development lead to DevSecOps?

The first commercial applications were characterized by a monolithic architecture, and their target runtime environment was mostly desktop. The code was developed in isolation, most integration and deployment steps were done manually, and the development and operations teams were separated from each other. In those circumstances, however, this was not a significant problem - the low frequency of releases did not create pressure in terms of speed of implementation, while the priority was software stability. Progressive technological development and growing market requirements, however, increased the pressure to introduce more frequent modifications to the application. The above conditions forced profound changes in the software production process, including the organization, tools used and corporate culture. As a result, a consistent and transparent DevOps methodology was created, the intention of which was to use the best practices to face the new reality. 

The DevOps methodology is based on close cooperation of all people working on application development. The proposed integration of development, operational and testing teams is intended to break down organizational silos. A similar emphasis is placed on the team culture, according to which everyone is equally responsible for the quality and safety of the final product. While DevOps does not refer to specific technologies used in software production, their use facilitates the entire process. CI/CD tools, monitoring, configuration and version management or test automation are elements without which it is difficult to imagine a modern application development process.

Is DevOps enough in the face of the new digital revolution?

A serious challenge for DevOps is the integration of the product development process with security requirements, the importance of which has been raising in recent years. The increase in cloud adoption and the rapid spread of web services – also related to mobile and IoT technologies – increases the potential for cyberattacks on applications. In addition, maintaining the required pace of implementation while maintaining the assumed level of security often turns out to be problematic. It is not uncommon for security teams to stop ready releases just before deployment due to detected vulnerabilities. Unfortunately, such events are usually very expensive. The introduction of corrections in the ready code usually takes a disproportionately long time, which affects both the Time-to-Market of IT products and the increase in development costs. Moreover, the growing number of application and infrastructure components that are hosted in the cloud and the popularity of application containerization strategies pose additional cybersecurity challenges.

Is it possible to reconcile IT security requirements with the flexibility of application development and high frequency of implementations?

Integrating the area of ​​cybersecurity and agile development of IT applications is the main goal of DevSecOps. It places emphasis on building secure applications from the very beginning of the development process and points to the importance of proactive threat prevention.

In accordance with the shift-left paradigm, security tests are performed at every stage of application development. The DevSecOps methodology also promotes the transformation of the organization's culture and building awareness that each team member is responsible for security. Moreover, security related issues are included in the basic requirements of the application. Involvement of security teams already at the application design stage allows for the elimination of silos that separated them from development teams.

How the changes postulated by DevSecOps help to ensure security while maintaining flexibility?

One of the main pillars of DevSecOps is the implementation of a specific test strategy. The shift-left paradigm allows you to largely prevent vulnerabilities in the code before they are propagated to the next stages of the development process, where their removal tends to be more time-consuming and negatively affect the schedule. At the same time, the DevSecOps methodology does not neglects the importance of shift-right tests, in which security tests are conducted not on static code, but on an already running application. As a result, the above approach allows you to respond to the risks associated with limited control over the version of the libraries used, the way they are used and the exposure of sensitive data on the Internet. The importance of such an approach increases in the era of the growing popularity of containerized applications, in which control of processes launched on individual containers can be challenging and a potential attacker can relatively easily use them to expose data or disrupt application stability.  

The DevSecOps methodology also discusses several classes of tools without which continuous security testing would slow down the pace of application development. Below is a list of them, along with a brief description:

  • the purpose of which is to statically analyze the application code in terms of security. The implementation of tools of this class allows for the largest possible shift to the "left" of the test process, because their use does not require a running application. Combined with simple implementation and integration in the CI/CD process, SAST is a very valuable tool for developers, as it allows for almost immediate removal of detected vulnerabilities in the created code. 

In addition to changing the organization of teams and implementing test tools, effective implementation of the DevSecOps methodology also requires appropriate modifications to the software production process itself.

Proper tracking, control and visibility of detected security vulnerabilities are key to successful implementation. Appropriate assessment of the criticality of incidents and planning adequate repair tasks will allow you to close the DevSecOps cycle, and at the same time ensure application security and effective use of team time.

Summary

In a very competitive market, organizations are under strong pressure that enforces flexibility and minimal Time-to-Market of delivered applications. The architecture based on microservices, application containerization or migrating processes to the cloud allow you to achieve these goals. However, the implementation of these innovations is associated with a change in the IT security risk profile. The implementation of the DevSecOps methodology helps organizations combine the speed of application development while ensuring security, as well as prevent threats related to the adoption of new technologies.

Drive2Cloud: Jak szybko budować bezpieczne aplikacje w chmurze dzięki podejściu DevSecOps.

PL version

How EY can Help

Contact us

About this article

Related topics
Technology

Related articles

Cloud DR: How can the public cloud help secure business continuity?

The Kenya Revenue Authority now requires all taxpayers carrying on business to onboard on the electronic Tax Invoice Management System (e-TIMS). Taxpayers should ensure electronic generation and transmission of invoices through e-TIMS with effect from 1 January 2024. Failure to register exposes a taxpayer to a penalty that is twice the amount of tax due and makes the expense nondeductible for corporation tax purposes.

Przemysław Jankowski

Why the metaverse is a human opportunity

The metaverse promises to transform our world. So what does it mean for us as humans?

    EY refers to the global organization, and may refer to one or more, of the member firms of Ernst & Young Global Limited, each of which is a separate legal entity. Ernst & Young Global Limited, a UK company limited by guarantee, does not provide services to clients.