DevSecOps approach: definition and benefits

Fabrice Croiseaux, CEO, InTech
By M. Renotte 02/01/2020
Banking, Insurance & Fintech
Health & Life Sciences
Public Sector & European Institutions
Defense & Space
Technology & Software Providers

EBRC and InTech, which are both members of the POST group, have combined their expertise to help companies take full advantage of the agility and responsiveness of the DevOps approach while directly incorporating security practices into that approach. This integrated approach reconciles continuous development with the requirements of cybersecurity and data protection.

From DevOps to DevSecOps approach: the need for agile delivery and cyber-security

IT decision-makers are now using three tactics to transform their organisations: modernising existing systems, cyber-security and moving towards agile development and delivery models", says Jean-François Hugon, Head of Marketing at EBRC. "In the latter area, the adoption of a DevOps approach directly based on agile methods enables IT teams to set up a continuous development and production cycle, thus increasing their responsiveness in taking into account business demands and reducing the time-to-market of applications."

Within a DevOps context, the traditional silos separating developers, testers, production managers and system administrators are dismantled. All stakeholders work more closely together throughout the development and deployment process, thus enabling them to better understand each other's expectations and the challenges they face.

DevOps approach by InTech and EBRC

By joining forces, EBRC and InTech are able to provide end-to-end support in the implementation of the DevOps value chain, from design to operation, through development, testing and deployment", said Fabrice Croiseaux, CEO of InTech. "EBRC, a company specialising in IT infrastructure, critical IT operations and IT transformation, has extensive experience in system operations and conducts the operational management of IT environments for many customers", he says. "As for InTech, it is a leading stakeholder in the fields of software development, application architectures and the implementation of industrial development platforms."

Development, operations and security : DevSecOps approach pillars

However, while an effective DevOps approach ensures fast and frequent development cycles, it does not consider a critical aspect of development, namely that of application security. Yet, inadequate security practices can cancel out the benefits offered by even the most effective DevOps projects. It is within this framework that an evolution of the DevOps principles, DevSecOps, is emerging. The latter is an approach that brings IT services closer in line with business needs and also strengthens the security of developments, improves their quality and demonstrates greater proactivity in terms of performance, resilience and high availability.

"The global transformation of IT services that we are witnessing introduces a change in the way projects are approached", emphasizes Jean-François Hugon. "Companies are seeking greater agility for both business and IT. Developers have more responsibilities, in particular with regard to cross-cutting considerations such as quality and safety. The latter is no longer pushed back to the end of the chain, it is integrated by design."

1st DevSecOps approach benefit : prioritising security

The DevSecOps approach is based on integrated security, not on a security perimeter that protects applications and data. When security is relegated to the end of the development process, companies that adopt the DevOps approach may face long development cycles, which they were trying to avoid. The DevSecOps approach therefore involves thinking about the security of the application and infrastructure from the outset. It is based on close collaboration between development and cybersecurity teams to ensure the safety of products throughout their lifecycle. This approach prioritises security by establishing a framework for development activities. "Good security practices in development are known and documented. These include OWASP, for example, which lists major application security vulnerabilities and provides the tools enabling developers to address them. On the other hand, the automatic integration of OWASP controls into the development industrialisation process can still be improved. This is precisely what we are doing with EBRC in the framework of the implementation of DevSecOps" says Fabrice Croiseaux.

2nd DevSecOps approach benefit : automation and continuous monitoring

In order to avoid any slowdown in DevOps flows and since manual security checks can be time-consuming and costly, the automation of repetitive tasks is a key element of the DevSecOps approach. Automation applies in particular to development control: developers can continuously test their code to identify potential vulnerabilities as early as possible and thus reduce the number of post-deployment patches.

It also affects system control through solution containerisation, which makes it possible to isolate a system’s various functions, automate security audit operations and check that cybersecurity policies are being properly implemented at all times. Using containerised environments also makes it possible to secure the infrastructure by automating incident detection processes. Thus, when an intrusion attempt or abnormal flow is detected, it is possible to disable and isolate corrupted instances and instantly redirect traffic.

3rd DevSecOps approach benefit: openness and interoperability

"Today, the technologies that enable the agility and responsiveness objectives of the DevOps approach to be achieved can to a large extent be implemented in the public cloud", said Fabrice Croiseaux. "However, our customers can benefit from a comparable level of service through a platform hosted in Luxembourg, in the Trusted Cloud Europe and EBRC's Tier IV Data Centres, and meet both the regulatory requirements of the various regulators and the compliance criteria of the most demanding international standards such as ISO 27001, ISO 20000, ISO 22301, Tier IV and PCI DSS, among others."

DevSecOps approach by InTech and EBRC

The EBRC-Kubernetes as a Service cloud platform includes all the building blocks needed to industrialise the deployment, scaling and orchestration of micro-service architectures and containerised applications . With the Red Hat OpenShift solution - a continuous security-oriented platform common to development and operations teams that allows them to create, deploy and manage containerised applications -, EBRC-KaaS forms the foundation of InTech and EBRC's DevSecOps technology offering. By focusing on openness and interoperability, POST group companies differentiate themselves from traditional public cloud stakeholders and enable companies to protect themselves against the risk of vendor lock-in.

"EBRC also has very high levels of expertise in information security and cyber-resilience as well as in process management and information systems governance", recalls Jean-François Hugon. "By combining their respective expertise", he goes on to say, "InTech and EBRC support their customers in their DevSecOps journey by helping them transform their development methods as well as by ensuring a transfer of skills relating to new ways of approaching infrastructure."

From DevOps to DevSecOps: key factors for a sucessful transition

Both the scope and impact of a transition to DevSecOps are considerable. Although DevOps remains complex in the eyes of highly-responsible developers, system administrators are forced to adapt their traditional skills to information systems configured and managed by code. These are risk factors that must be taken into account in any DevSecOps strategy.

From development to operation, from ideation to maintenance, EBRC and InTech combine all the assets to enable companies to seamlessly integrate into their IT organisation all the key factors on which a successful transition to DevSecOps depends, whether for the purpose of setting up an active collaboration between all stakeholders, standardising development and delivery processes by integrating cybersecurity requirements, introducing new technological tools for automating checks and operations, or organising cross-functional governance which is common to all businesses and professions involved in the application lifecycle.