Continuous Security

Trend 3 – Continuous security with end-to-end integrated DevSecOps pipelines

This continuous trend to alleviate security issues and threats is more prevalent in B2B or B2C applications exposed on the internet. End-to-end DevSecOps pipelines include integration at all security phases of SAST, SCA, DAST, RASP and/or IAST in a no-touch fashion. Tool vendors offer easy CLI- and API-based integration capabilities for greenfield applications. Existing applications are more complex because scans must be run outside the pipeline or nightly batches, and custom scripts must be used to reduce false positives. Once the scans are performed to remove the huge backlog of issues, these tools are integrated into the pipeline. Many tools are emerging with features to improve integration, such as incremental scanning capabilities to reduce the time taken to scan, AI-based tools to identify false positives and automated issue remediation. Container security is also incorporated into the CI/CD pipelines through Docker tools such as file scans, image scans, registry scans and container security testing.

An industry leader in brokerage and wealth management experienced a bottleneck in their underlying network of shared services. Due to manual security testing, they could not achieve early time to market for their end-user applications. They partnered with Infosys to implement an end-to-end DevSecOps solution to improve speed and quality, which resulted in a nearly 88% reduction in their release management effort, a four-times higher release frequency and $3.3 million in annual cost savings.

Continuous Security

Trend 4 – Shift left with codification of security and privacy controls in DevSecOps

To successfully scale DevSecOps across the enterprise, businesses are looking at using reusable frameworks and centralized DevSecOps platforms. By implementing a consolidated security dashboard in the pipeline, they will collect defects found across all types of security testing tools, including SAST, SCA and DAST. With mature DevSecOps implementations, businesses are also defining metrics and setting up thresholds. The availability of SaaS-based security testing tools is opening the door to wider DevSecOps adoption by reducing the demand put on the underlying infrastructure and maintenance efforts of the tools themselves. As a result, we see encouraging effects. Open-source tools help reduce cost concerns attributed to the large number of licenses needed for enterprise-scale adoption. Enterprises are implementing organizational change management tactics such as enabling secure coding practices for developers, bringing in mindset change and integrating security as part of requirements and NFRs. Empowering DevOps teams on security aspects also reduces the additional load faced by current security SMEs due to frequent releases of fast-moving applications. A focus on building increased trust and collaboration between security SMEs and application teams only helps the cause.

A large telecommunications provider faced fraud losses close to $490 million, which were expected to increase by nearly 38% yearly. Adopting a holistic people, process and technology approach, the client implemented enterprise-scale DevSecOps for over 1,000 applications, which resulted in a 40% increase in feature delivery and the elimination of almost $1 million in fraud losses within the first seven months of the implementation.

Subscribe

To keep yourself updated on the latest technology and industry trends subscribe to the Infosys Knowledge Institute’s publications

Infosys TechCompass