Shift-left Security with ‘Stretched’ DevSecOps
Whether it is a pandemic, a new emerging technology, or sudden developments in the market: organisations want to be able to respond quickly. That is why more and more organisations are switching to ways in which to develop applications directly in the public cloud: cloud-native software development.
Cloud-native development offers interesting possibilities to use, for example, microservices, Kubernetes and standard solutions made available by public cloud providers. There are, however, some potential issues along the way. It requires thorough knowledge of this technology on the part of the development teams. You must either already have this knowledge in house and will otherwise need to acquire it. But it’s scarce and often hard to find. The same applies to security, which is still often something of an afterthought.
It is a good idea to use the transition to cloud-native development to integrate security earlier in the development process: shift-left. In other words, move security to the left – the beginning – of your development process instead of the end (right).
Just as developers test their application code before it can be rolled out, they also need to implement security testing. It makes finding and fixing bugs and other errors easier and less time consuming. The longer you wait, the more difficult it will be to find a solution. Automating the shift of security to the design and development phases, leads to better systems and reduces the chance of delays.
Security and DevOps are increasingly aware of the need to come together to take security and compliance considerations into account earlier in the development process. This method of secure development is also called DevSecOps.
It allows all stakeholders to determine early on in the process whether the configuration is acceptable. Developers must ensure that the system works as intended. Operations needs to know that the system is reliable and maintainable. Security needs to know that it has been configured in accordance with best practices and policies upon implementation and during operations, and compliance needs to know that it complies with audit and/or regulatory controls. As a result, new cloud-native applications are built securely from scratch.
Stretched DevSecOps for a solid foundation
If an organisation is still using large, monolithic applications, the switch to new development methods is a significant one. To work ‘secure by design’ in this new situation is realistically too much to ask for for most IT teams. Outsourcing is increasingly opted for.
This can feel rather challenging if IT is a critical part of business operations. However, with the right partner, outsourcing does not mean a loss of control, but rather rigorous management through close cooperation with an experienced specialist.
At Solvinity, we have developed the software release model Integrated Delivery for this. It comprises three components:
- It uses CI/CD: a method to continuously develop, test, integrate and deliver new code, making the development of applications much more efficient.
- It draws from a portfolio of carefully selected and demonstrably effective tools, such as container technology and Kubernetes.
- It is designed for close cooperation between Solvinity’s engineers and the client’s teams.
We call this cooperation ‘Stretched DevSecOps’, in which our engineers spend much of their time in the client’s office, or in virtual teams, working with in-house developers. The teams build mutual trust on the basis of clear agreements and close contact. At the same time, our secure development principles in the area of, for example hardening and security by design are transferred to the customer’s development teams.
Prepared for disruption
With Stretched DevSecOps, every organisation’s basic security is brought fully under control. This allows organisations to quickly switch to cloud-native development according to proven basic principles. The speed with which we get high-quality applications operational subsequently proves to be a major incentive for other departments to switch to cloud-native development as well. That way, the transition immediately becomes a strong foundation from which to make security-by-design a basic principle for the entire organisation.
Stretched DevSecOps also helps to embed the knowledge of efficient and secure cloud-native software development in your organisation as quickly as possible, in order to optimally prepare your organisation for the future. Experience with major clients at, among others, the central government, such as Netherlands Police,, and in financial services has demonstrated this.
We subsequently build on that solid foundation – together with the customer – towards a platform that offers room for innovation and growth – even if the next disruption is imminent.