DevSecOps
Cyber security as a business enabler

18th May 2021

For any business dealing with consumers' personal information, cyber security needs to be high on the agenda.

With ever increasing regulation around data and cyber attacks on the rise, the potential reputational and financial costs associated with a security breach are higher than ever. Just in the past year, organisations including Virgin Media, EasyJet, the Marriott, Twitter and even the Financial Conduct Authority have been subject to high profile data breaches.

And with the pandemic accelerating the global march towards online business transactions and experiences, the need for businesses to implement robust cyber security practices has never been greater.

Our Chief Information Security Officer, Alex Haynes, suggests there are three simple approaches businesses look to adopt to identify system vulnerabilities, pre-empt security breaches and transform data security into an enabler for high performing teams, assuming responsibility for end-to-end security throughout the product life cycle.

1. Penetration testing
A mainstay of cyber security is penetration testing, also known as pentesting or ethical hacking: an authorised simulation of a cyber attack, designed to determine the strengths and weaknesses of an organisation's IT infrastructure in order to maximise business continuity in the event of attack.

Different pentesting methodologies are available, including traditional, automated and crowdsourced approaches. While the manual approach may be useful for projects where human intelligence is needed to determine the direction of testing, it can risk missing crucial weaknesses, depending on the expertise of the tester or the constraints of any deadlines they are working to.

Further, the speed of technology development is accelerating at such a pace that manual testing cycles – which are often annual – fail to keep up.

Automation can be a faster, more efficient and reliable way to apply the latest performance testing tools to automatically scan, exploit and report on an organisation's vulnerabilities. Ongoing evaluation of these tools is important to maintain high levels of cybersecurity.

Perhaps more controversially, crowdsourcing incentivises testers to identify vulnerabilities in return for rewards – a 'payment by results' approach. With ideological concerns around the hours of unpaid labour involved in this gig economy styled model, CDL eschews this approach, seeing far greater value in implementing security measures early on in the software development process rather than looking to 'patch up' a finished product.

'Shifting left'
'Shifting left' to address security while the product is still in development ensures faster and more frequent security testing, auditing the code and practices that go into the software development process.

Crucial benefits include lower development costs (it's cheaper to fix security issues before they become embedded within the product), faster introduction of new technologies (both through early feedback loops and automated security testing) and, crucially, higher quality software.

Fixing 'human' flaws
Finally, security professionals can shift left even further by working with developers to understand who is writing the code and the extent of their security knowledge, helping them to build their skills over time.

This collaborative approach is known as DevSecOps (development, security and operations) and involves all members of a cross-functional team taking responsibility for the security of a product from the earliest stages of its development.

DevSecOps also works to make security a business enabler rather than a barrier; it gives everyone the tools to automate security rather than having to jump through hoops on each occasion, leading to high-performing teams with shared goals and responsibility for security across the entire product lifecycle. Including the use of innovative training and assessment tools to fix 'human' flaws before any code is written, the end result is more informed, efficient and secure development strategies.

Final thought
It's a given that forward-looking businesses need to place technology at their heart of their business. More than this though, they need to ensure it is protected by embedding security strategies into every stage of their development and operations processes. The outcome will be resilient systems and reduced exposure to cyber threats.