In the application development world, two models have stood to represent how software is built. First introduced in 1970, the waterfall method emphasizes a logical progression of steps throughout the software development life cycle (SDLC).
The six steps of a waterfall model include: requirements analysis, system design, implementation, testing, deployment and maintenance. Critics of the waterfall model cite its inability to allow for adapting to changes across the life cycle, including client feedback which usually comes in the latter stages of development.
DevOps, on the other hand, is said to complement agile principles: several standard DevOps practices such as automated build and test, continuous integration, and continuous delivery originated in the Agile world.
One of the most visible drivers of digital transformation is the imperative to deepen the relationship with the customer. This is the front-end of the discussion. Behind every digital transformation initiative is agile – viewed by many as addressing the communication gaps between customers and developers. DevOps is the behind-the-scene technical equivalent of agile addressing gaps between developers and IT operations / infrastructure.
Secure DevOps practices — also known as DevSecOps — is critical for enterprises that must rapidly develop and deploy digital innovations. It attempts to bring security into the DevOps methodology by integrating security testing into the continuous integration and continuous delivery pipelines. IDC says the ability to quickly create, deploy, and iterate high-quality software will be a core business requirement by 2023.
According to the WhiteHat Security report, 2019 Application Security Statistics Report, an average of more than 50% of apps are always vulnerable for organisations that have not adopted DevSecOps.
IDC predicts by 2024, DevSecOps will drive at least 50% of new applications in the Asia/Pacific (excluding Japan) (APEJ) region, which will have comprehensive security and compliance assessment included in the continuous delivery platform.
FutureCIO spoke to Dr Gina Smith, research manager at IDC Asia to get her perspective on the state of DevSecOps in the region.
Smith says DevOps workflows increasingly drive such digital transformation, waterfall-style security testing and policies can gum up the works. Organisations must move now to shift security left, integrating it at multiple points along the software development life cycle.
“Further, they must integrate it in a collaborative way that is at once transparent to developers yet still preserves the agility, speed and teamwork that characterizes the agile and DevOps process,” Dr Smith adds.
The October 2019 451 Research stated that only 9% of security budgets are dedicated to application security. Given the extent to which businesses are dependent on software for many aspects of operations, and how digital transformation calls for the accelerated rollout of new apps, it begs the question why application security does not appear to carry the same priority as DevOps itself – at least for now.