Skip to main content
Application Security padlock icon

This post is from the Arxan blog and has not been updated since the original publish date.

Last Updated Jan 30, 2019 — Application Security expert

Part 1: App Security Should Be an Integral Part of Your DevSecOps Process — Not an Afterthought

Application Security

What are the key considerations and components of DevSecOps?

The intention of DevSecOps is to build the mindset that everyone is responsible for security — and that security needs to be built into your process, rather than as a perimeter around apps and data.

Normally during the Software Development Life Cycle (“SDLC”), traditional security teams were isolated to a specific team in the final stage of development. This waterfall approach was not a problem when development cycles lasted months or years. However with the rise of agile, Continuous Integration (“CI”) and Continuous Deployment (“CD”) models — this is no longer a feasible approach.

DevSecOps involves creating a flexible collaboration between release engineers and security teams in order to build security into the DevOps process. This seeks to avoid the bottleneck effect of older security models on the CI/CD pipeline — but requires increased communication and shared responsibility between development, IT and security teams to ensure that security testing and implementation is done in iterations during code development, as opposed to shortly before release.

The two primary benefits of DevSecOps are:

  1. Better ROI of existing security infrastructure
  2. Improved operational efficiencies across security and the rest of IT

The six important components of a DevSecOps approach are:

  1. Code Analysis: Deliver code in small chunks, so vulnerabilities can be identified quickly
  2. Change Management: Increase speed and efficiency by allowing anyone to submit changes, then determine whether change is good or bad
  3. Compliance Monitoring: Be ready for an audit at any time
  4. Threat Investigation: Identify potential emerging threats with each code update and be able to respond quickly
  5. Vulnerability Assessment: Identify new vulnerabilities with code analysis, then analyze how quickly they are responded to and patched
  6. Security Training: Train software and IT engineers with guidelines for set routines

By integrating security into the agile development process, organizations will be able to address security threats more effectively, in real time. Making security a shared responsibility between development, IT and security teams should help change the perception that security is a burden and slows down the agile process — in addition to sensitizing the entire team to the need for speed and agility to deliver new solutions to market.

To learn more about how to start implementing a DevSecOps process into your organization, read our blog next week.

More from the Blog

View more
Aug 09, 2022

Secure mobile application vulnerabilities with an inside-out approach

Application Security
Effective mobile application security is a comprehensive software secu ...
Read More
Jan 18, 2022

Be aware or beware: Easily insert security into your mobile apps

Application Security
COVID-19 has quickly pushed companies over the technological tipping p ...
Read More
Dec 23, 2021

Using machine learning to detect malicious packages

Application Security
Staying up to date with new technology in today’s advanced digital age ...
Read More
Dec 17, 2021

Log4j: Not the Vulnerability We Want, and Not the Vulnerability We Need

Application Security
Log4j is the reminder we didn’t need: the reminder that vulnerabilitie ...
Read More
Contact Us