The term DevSecOps is rapidly becoming commonplace and taking over the more traditional DevOps – and for good reason. DevSecOps highlights the fact that today’s data security can no longer be a separate work step, but must be an integral part of the software development cycle. When IT professionals’ data security work based on the DevSecOps approach is continuous and embedded within their organization, the results are increasingly visible, even to customers in external projects.
In a nutshell, DevSecOps is about making data security an integral part of the software development and production process from the get-go. Naturally, data security has been a central and positive everyday issue for IT professionals in the past, and the latest developments are actively monitored, and expertise in it is supplemented with data security certificates.
So what changed with the rise of DevSecOps thinking?
With increasingly sophisticated tools and approaches, it is now easier, faster and more cost-effective to involve a security perspective in the software development process. When the assurance of data security and the mitigation of vulnerability proceeds at the same pace as the rest of the work, duplication of efforts at the end of the process is avoided, along with the extra costs and schedule delays it entails.
At the same time, data security experts and software developers are lesser thought of as two separate entities in our industry. At Pinja, for example, all our developers are security-aware, and we collectively keep our eyes open in all situations. In addition to this, we also have dedicated security specialists who are available for internal mentoring and brainstorming, as well as for our clients.
Another important piece of information for clients is that they can benefit from all our internal security work in joint projects. Data security is a shared concern and part of responsible business, so good practices are readily shared.
SCA = Software Composition Analysis
SCA tools check third-party libraries and frameworks used in code for known vulnerabilities. This also helps keep external packages up to date, and quickly push updates into production.
SAST = Static Application Security Testing
Static application testing tools are used to scan and analyze the source code for potential security issues before it goes into production.
DAST = Dynamic Application Security Testing
Dynamic application testing tools are used to scan the running system for potential security issues.
In my work as Pinja’s IT security expert and technical project manager, I see a wide range of security work in manufacturing industry. Each organization’s starting point, existing information system solution, and potential risks form a unique set of factors that need to be considered when making security-related decisions. However, many aspects are also common to all, and in industrial organizations, for example, it is worth paying attention to at least the following four points:
Legacy systems deserve special attention, as the oldest link in the chain can also be the weakest – if updates are not taken care of. On the factory floor, for example, it is quite easy to forget about good old systems and leave them running for decades. It is not always possible or even sensible to replace old systems, but it is worth actively monitoring and ensuring their security.
Organizational users play a critical role in the level of security of the company, so training is a must. Practical data security work is also about continuous optimization, so it needs to be reviewed constantly. Enough needs to be done to avoid vulnerabilities and repel attacks. On the other hand, security processes should also be designed to be user-friendly, so as not to make it too difficult for users to carry out their daily work.
When help or skills are needed to assist your staff, an external partner can be of significant benefit, for example as a consultant, brainstorming partner, auditor, or ongoing partner. In fact, the same idea applies to security professionals as to organizations in other sectors: we also benefit from being audited from time to time by an external body.
Machine learning has long been used in virus scanners and SIEM solutions, but AI is now rapidly evolving in many other areas of security thanks to ChatGPT, among others. For example, ChatGPT can already be used for source code analysis at a certain level, and in penetration testing tools, the technology is starting to show up in various proof-of-concept projects. In the future, the playing field will change even more, so it is worth actively monitoring developments and constantly thinking about possible applications for your organization.
One of our interesting projects that followed the DevSecOps approach was with DigiFinland, when we implemented the Hoidonperusteet.fi web service together. It is a service for healthcare professionals to improve the assessment of the need for and urgency of care. The project’s software development and production rollout were carried out using the DevSecOps business model and SCA, SAST and DAST tools.
The fact that we share a common vision of data security with the client served as a good basis for the cooperation. DigiFinland also ensures responsible and systematic compliance with data security policies.
If your organization needs consultancy, additional skilled hands, or a more permanent partner for DevSecOps-based software development or other data security work, we are happy to help.