Agility has become an unavoidable necessity in a fast-moving technology environment, but achieving it can be a challenge for organizations and their development teams. The DevOps philosophy provides a road map; following it is not always as easy.

Even more crucial than the need to transform the development process is the need to protect against ever more sophisticated threats and attacks. But some organizations are finding that agility and security can go hand in hand. SecDevOps is an approach to development that puts security right at the heart of DevOps by making it integral to the development cycle.

SecDevOps: Bridging the Gap Between Security and Agility

According to CIO Insight, organizations such as the endowment-based Dana Foundation have found the SecDevOps approach to be an effective way to bring security into DevOps. The result is faster development cycles and more robust security.

The Dana Foundation is primarily engaged in two fields: web activities related to grant management and publishing and outreach operations, including an annual brain awareness week. James Rutt, the company’s chief information officer (CIO), told CIO Insight that the organization was primarily concerned with “code quality and code security,” with a particular focus on protecting against known code vulnerabilities listed in the Open Web Application Security Project (OWASP) Top 10, such as cross-site scripting and forgery.

The SecDevOps approach helped the company speed up its development process while reducing code vulnerabilities by 40 to 50 percent. This impressive performance shows why and how security and agility can form a perfect partnership.

Building Security Into the DevOps Cycle

Experts have been preaching for years that security needs to be built in, not bolted on after the fact. But the combination of conventional, prolonged development cycles with a fluid security environment has made built-in security almost impossible to achieve. After all, if new versions of a software package were only released every couple of years, the security environment would be radically transformed between two successive versions. Developers had no choice but to bolt on new security features.

In the world of DevOps, the software development cycle has become dramatically faster — so much faster, in fact, that code development can now match the pace of new security challenges. Developers are no longer focused on fixing existing code to handle new security threats. Instead, they are constantly building new code as part of the DevOps cycle, which means that new security features can be built in as part of the overall development process. This is exactly what the security community has been preaching all along.

SecDevOps is not a magic trick, but a natural, organic way to approach new security needs in the context of ongoing code development. This is very good news for organizations that are shifting into the DevOps era.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read