Gone are the days when Application security was the responsibility of only the security team. I remember, that even a few years ago when I was part of a development team, our software would go through security assessment only a few days before the Go-Live. Now it scares me when I realize that we decided to take a huge risk by deferring security assessment to the fag end of the development phase.
The increase in security incidents in the recent years has had one fortunate outcome and that is the realization by managers about the criticality of application security. Enterprises have started to look deeper into the development process and have started to include security assessments more frequently at various intervals. However, one challenge that organizations face is to adapt the security control process to the changing landscape of application development. With DevOps being seen as the industry standard for efficient and fast software delivery, it is imperative that security be included in the model. Otherwise, the time taken to fix one critical security flaw found right before Go-Live may offset the entire savings made through adopting the best practices of DevOps.
DevSecOps takes DevOps to the next level by recognizing security as a critical component even during the development phase. The objective of DevSecOps is to build security and prevent flaws/violations from the beginning of the development. In the DevSecOps process an application security scanner tool is added to the DevOps pipeline so that a build would not pass unless the critical security flaws are fixed. Following this process has quite a few benefits as enlisted below.
Like in any change management process, implementing DevSecOps will be successful only if the team and the management buy in into the idea. The developers should be trained in security principles and secure code practices. Once trained, they need to be incentivized to follow secure coding practices throughout the coding process.
In short, DevSecOps provides a great opportunity to build security into the product without skyrocketing the cost of product development.
Erik Oltmans, an Associate Partner from EY, Netherlands, spoke at the Software Intelligence Forum on how the consulting behemoth uses Software Intelligence in its Transaction Advisory services.
Erik describes the changing landscape of M & A. Besides the financial and commercial aspects, PE firms now equally value technical assessments, especially for targets with significant software assets. He goes on to detail how CAST Highlight makes these assessments possible with limited access to the targetâ€™s systems, customized quality metrics, and liability implications of open source components - all three that are critical for an M&A due diligence.