The marketplace is demanding agility, but many enterprises perceive the need for agility as an ongoing security risk. If applications are constantly evolving, they assume, the process will constantly open up new avenues for attackers to exploit. This worry has given rise to a widespread misconception that security or agility is a binary choice.

But a growing number of organizations are challenging this stereotype and actively working to integrate security into the DevOps process. These proactive players in the agility game are acting on two basic principles and responding to two basic realities. One is that effective security is built in, not bolted on — meaning that even if agility were not an issue, security needs to be an integral part of the development process. The second principle is that attackers are agile, which means that security must also be agile.

Integrating Security Into the DevOps Process

A recent DigiCert survey titled “Making Security Agile” queried 300 enterprise leaders to determine “whether organizations are breaking down silos and inviting security to join the DevOps movement.” The survey revealed that these leaders put strong and nearly equal emphasis on increasing information security (90 percent), IT agility (88 percent) and development agility (87 percent).

Clearly, the respondents believe that they don’t need to choose between security and agility. Instead, they can integrate them and achieve both.

One significant challenge the survey found is that working faster often results in increased risk, while maximizing security sometimes means slowing down operations. The report suggested “changing how security works within the organization.”

Nearly half of respondents (49 percent) reported that they had already integrated security into the DevOps process, while another 49 percent said that they were working on completing that integration. Only 2 percent expressed no interest in doing so — a number so small that it may merely represent people who misread the question.

The greatest practical challenge, according to the survey, is that integration takes longer than most organizations anticipated: one to two years, as opposed to the typical expectation that it would take seven to 11 months.

Agility and Active Security

The survey specifically advised organizations to establish a social leader “to drive cultural change.” It also recommended limiting access, using encryption within an automated public key infrastructure (PKI), and investing in automated certificate management, patch management, vulnerability scanning and stack code analysis. These specific recommendations encapsulate the whole range of practical requirements for overcoming the security or agility conundrum.

But what stands out in the broader picture is how natural this integration is. When security is integrated into development, the result is an inherently robust architecture in which basic protective measures have been built in from the outset.

This security architecture is flexible when it comes to handling new threats because it is built with strong components that already achieve the basics and can be reconfigured as the threat environment changes. Agility thus includes an agile response to threats, making security more effective.

Rather than a false choice of security or agility, it turns out that agility is the right choice for enhanced security.

More from Application Security

Gozi strikes again, targeting banks, cryptocurrency and more

3 min read - In the world of cybercrime, malware plays a prominent role. One such malware, Gozi, emerged in 2006 as Gozi CRM, also known as CRM or Papras. Initially offered as a crime-as-a-service (CaaS) platform called 76Service, Gozi quickly gained notoriety for its advanced capabilities. Over time, Gozi underwent a significant transformation and became associated with other malware strains, such as Ursnif (Snifula) and Vawtrak/Neverquest. Now, in a recent campaign, Gozi has set its sights on banks, financial services and cryptocurrency platforms,…

Vulnerability management, its impact and threat modeling methodologies

7 min read - Vulnerability management is a security practice designed to avoid events that could potentially harm an organization. It is a regular ongoing process that identifies, assesses, and manages vulnerabilities across all the components of an IT ecosystem. Cybersecurity is one of the major priorities many organizations struggle to stay on top of. There is a huge increase in the number of cyberattacks carried out by cybercriminals to steal valuable information from businesses. Hence to encounter these attacks, organizations are now focusing…

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

Unmasking hypnotized AI: The hidden risks of large language models

11 min read - The emergence of Large Language Models (LLMs) is redefining how cybersecurity teams and cybercriminals operate. As security teams leverage the capabilities of generative AI to bring more simplicity and speed into their operations, it's important we recognize that cybercriminals are seeking the same benefits. LLMs are a new type of attack surface poised to make certain types of attacks easier, more cost-effective, and even more persistent. In a bid to explore security risks posed by these innovations, we attempted to…