Today, there is more awareness about the importance of security than before, especially when 80% of businesses that would fail to shift to a modern security approach are anticipated to deal with both increased operating costs and lower attack responses by 2023.
This finding makes it clear that businesses must keep up with modern security technologies to avoid losing ground internally and externally. The digital transformation of business organizations, including telcos, requires an approach that could strengthen the adoption, transformation, and expansion of digital technologies without compromising security. This impact will continue in the long run because new threats and hackers would certainly emerge to trigger and expose vulnerabilities into systems.
The reality that we are living in right now requires security to be integrated deeply. In fact, cybercrime is claimed to be the third-largest economy, expected to be valued at $6 trillion by 2025. Every year, the number of data breaches grows by 30%, while the number of compromised records soars by over 200%. With this in mind, companies should invest in building stronger security systems to protect their data and developments.
Solutions like development, security, and operations (DevSecOps) is one of the ways to do that. As the continued shift in operations will be observed drastically, including advancement in automation technologies, application development, and IT infrastructure, more complex threats must be identified and addressed at an early stage.
DevSecOps: Definition, challenges, benefits
The global development, security and operations (DevSecOps) market size is expected to reach $11.3 billion by 2027. The idea of putting security as a responsibility that can be in line with the growth of an organization’s development and operations is a primary example of a cloud-based feature that reduces technical risks.
The core essence of DevSecOps is built-in security, not security that serves like a perimeter fence around applications and data. A trending practice in app security, it involves introducing security earlier in the software development life cycle (SDLC) and expanding the collaboration between DevOps teams to integrate security teams in the software delivery cycle. By and large, DevSecOps requires a change in culture, process, and tools to achieve security as shared responsibility.
Accordingly, DevSecOps’ mantra is to make everyone accountable for security by implementing security decisions and actions at the same scale and speed as what DevOps does. And yet, the challenge arises when DevOps teams see security as a nuisance or IT security teams can't keep up with the fast pace of DevOps. Point in case, open-source tools may have inadequate security features as well that could result in more attack opportunities.
Building security into DevOps then requires various steps to be taken carefully from the planning stage up to coding, building, testing, deploying, and monitoring, with real-time feedback loops and insights. Basically, everyone involved in the SDLC has a role to play in the DevSecOps continuous integration and continuous delivery (CI/CD) workflow.
Few best practices that will make the DevSecOps process run smoothly include (1) shift-left testing or embedding automated security controls and tests early in the SDLC; (2) threat modeling exercises to discover the vulnerabilities of assets and plug any gaps in security controls; (3) secure coding and static/dynamic code analysis; (4) controlling access to sensitive information with zero trust framework; (5) creating an incident response plan, and (6) automated scanning upon deployment and tracking of dependencies.
Selecting the right tools to continuously integrate security would help meet DevSecOps goal of promoting the fast development of a secure codebase. This is applicable for embedded, networked, dedicated, consumer, and IoT devices. Five common categories of DevSecOps tools are alerts and notifications, automation, dashboards, threat modeling, and testing.
Alongside this, organizations with a DevOps framework is considering to shift towards a DevSecOps mindset by bringing individuals to a higher level of proficiency in security. As a result, the test-driven development environment in place as well as continuous and automated workflow testing and integration of organizations lead to seamless work, increased code quality, and enhanced compliance.
Other benefits of adopting DevSecOps include better return on investment (ROI) in the organization's existing security infrastructure; less administration failure incidents that could otherwise contribute to cyber-attacks and downtime; better communication, collaboration, and accountability between teams; greater flexibility in managing sudden changes during SDLC; and faster releases of quality-assured products.
Without a doubt, DevSecOps is quickly becoming the status quo for application development and IT infrastructure processes, causing more frequent deployments, shorter lead time to change (LTTC), lower change failure rates, and faster mean time to recovery (MTTR).
Collaborative DevSecOps principles and practices
According to Gartner, DevSecOps will have a 20-50% market penetration within two to five years. The ongoing surge in the number of companies and applications shifting to the cloud, IoT deployments, and 5G rollouts are also anticipated to open new growth prospects for the market.
Gone are the days of monolithic applications as APIs, microservices, and serverless functions deliver modern DevOps workflows. Telcos are among the most active users of these applications as they evolve to serve the needs of digitally-focused customers. Operator software development teams actually work to maintain their unique mix of operational software used to manage their network and services. As a result, they must deal with a resilient network environment where new services and infrastructure are constantly added or enhanced. Thus, network operators should follow a DevSecOps approach by incorporating the security culture, practices and tools to drive visibility, collaboration and agility.
Areas of attention could include robust microservices-based infrastructure architecture with built-in security capabilities; configuration management mechanisms to enable consistent, controllable and maintainable overall system configuration; and a common set of automation, testing, and logging tools to maintain a consistent level of assurance.
It is evident that collaborative DevSecOps environments must include various technical controls, process controls and management techniques to minimize the risk of attacks. Being an extension of DevOps, it complements the philosophy of shared ownership by making security objectives part of the overall structure.
One good DevSecOps practice is the use of zero trust controls between containers. In highly collaborative environments such as data centers, mutual transport layer security authentication (mTLS), an encrypted communication tunnel per server cluster should be utilized. Aside from this, new 5G core capabilities and architectural attributes are well suited to cloud native DevSecOps deployment models to create value-added services (VAS) and applications integrated into the 5G core itself.
In conclusion, the focus on security and performance offered by DevSecOps is particularly important in network service provider environments given the unique needs in providing wide-area communications services.