This post is from the Arxan blog and has not been updated since the original publish date.
Part 4: App Security Should Be An Integral Part Of Your DevSecOps Process — Not An Afterthought
How Arxan can help streamline and optimize your DevSecOps process
One of the most important factors to keep in mind when deploying a DevSecOps team is accurately maintaining the level of involvement both your developers and security team have together. Scheduling too many reviews or meetings will bog down the development process and cause timelines to slip and your application to miss its launch deadline.
A good rule of thumb is to integrate security reviews to coincide with product milestones, such as a sprint review. Major issues should still be identified by the developers and escalated to Product Management and the Security team for review, but typically these reviews can be used to assess any new features that have been completed for potential security flaws in their implementation.
Even after the release of an application, the security status once deployed should constantly be assessed, reviewed, and any weakness should be remediated. New features will constantly be added with each new release, and these features could in turn add new threats that can be exploited. Just because an application has left your organization’s walls and ventured into the wild does not mean your assessment process should end. A DevSecOps team should constantly be adapting in order to account for any new threats that were missed during development or have emerged from a previously considered “safe” attack surface.
One of the primary differentiators for Arxan’s Application Protection solutions is our Threat Analytics service. From the moment an app is deployed into a zero-trust environment, it will immediately start collecting data and sending alerts back when an app is downloaded onto a jailbroken or rooted device, when an app’s code is being reverse engineered or tampered with, and which guard is firing so you can understand exactly what an attacker is targeting within your application. Depending on the severity of the threat and the activity detected, Arxan can isolate an malicious activity within a walled garden to prevent the theft of confidential data, payment details, user credentials and more.
Additionally, one of the first things that a DevSecOps team encounters when attempting to integrate within the current development process is resistance to change. All too often, the security vs. performance pendulum swings too far towards security when first starting out and this leaves developers feeling resentful towards this new “security-minded” approach. You want to avoid any sort of “takeover” approach when first starting out.
Arxan’s Application Protection solutions are designed not to interfere with the development lifecycle — and can be implemented during the build phase at the end of each sprint to ensure code is secure before deployment. Arxan offers a solution for teams trying to achieve this precious balance when just starting out on the DevSecOps journey — or as a best practice when new apps are development to begin with. With a new zero-configuration initial setup that does not disrupt continuous integration and continuous development (CI/CD), and DevSecOPs environments, Arxan can easily deploy a baseline set of protection guards with analytics enabled. This will ensure the app is protected upon release, and the analytics starts collecting data and enable the DevSecOps team to adjust and optimize protections based on the behavior it sees once the app is deployed.
To learn more about how Arxan can help, request a meeting.