Why Pivoting in a Crisis May Actually Energize Secure DevOps

There’s Nothing New About the Pivot

Digital transformation has been around for about as long as the internet has been a household staple. Only in recent years, however, have we’ve seen an accelerated push to digitalize pretty much everything. Until now, the driving force has been the market. Competitors with a range of new offerings are using technology, not just to automate, but to completely change the way things are done.

This forces businesses to change what they do and often means accelerating new software products or features into the market.

The New Disruptor Has Created an Unprecedented Need for Agility

The pandemic has proven to be a new type of disruptor—one that affects everyone—and the need to pivot is no longer competitive; it’s existential. Some organizations have to get new technologies out there fast to help meet the health and financial challenges we’re facing. Social distancing means we need even more transformative digital solutions and we need them immediately. Telemedicine is now designed for people in urban areas as well as rural ones. Insurance companies, financial institutions and government agencies need to be able to handle massive surges in inbound requests.

Forrester offers this reflection on the relationship between change and development in the current climate: “The demand for change will continue to mount. You will be more and more tempted to clear it with large, risky ‘batches.’ By avoiding the perceived risk of change, you incur the risks of deferring it. These risks are equally if not more hazardous unless you plan to never change again. We don’t recommend this as a business strategy in troubled times.”[1] To us, this means the growing velocity of innovation can threaten security if not carefully handled.

What This Means for AppSec

Cybercriminals have mastered the art of the pivot since the beginning. As soon as one vulnerability closes, they immediately turn to another. And they always find a new one to exploit. Right now, there’s a rash of phishing, malware, DDoS and other types of attacks capitalizing on COVID-19 fears and behaviors.

Development teams must keep up with the competitive demands of the market, and they need to keep their constantly changing code base secure. On the subject of security, Forrester advises teams: “To ensure that security does not block agility, focus on enabling frictionless security in the DevSecOps process.”[1] In truth, enabling frictionless security throughout the SDLC has always been critical. The point is, wherever you are on that journey, if you’re accelerating development you must also be increasing the security controls in all your code development, testing and deployment practices.

Whatever automation you have, you’ll certainly need more to enable even faster release cycles. Whatever integration you currently have, you’ll probably need more to overcome the “silos” created with developers working from home. Whatever security controls you have across your software supply chain, you’ll likely need to improve and accelerate vendor security as you add third-party tools and code to further speed development. Whatever visibility you have into your software and infrastructure risk posture, you’ll surely need more real-time and actionable insight to make better decisions faster.

There Is Cause for Optimism

Businesses everywhere are reacting faster than ever before, pushing the limits of development agility and security. But there are still some questions to consider.

In some cases, organizations will simply need to accelerate their AppSec deployments. In others, a more transformative approach may be required. In any event, the actions taken now and in the immediate future—and the lessons learned—will change the way software is developed and deployed, enabling companies and teams to pivot like never before. After all, the current pandemic will at some point end, but the need for change never

[1] Source: Agile, DevOps, And COVID-19, Forrester Research.


*** This is a Security Bloggers Network syndicated blog from Blog | ZeroNorth authored by ZeroNorth. Read the original post at: