Security and policy compliance

Trend 3: End-to-end integrated DevSecOps pipelines aid enhanced security

Security issues and cyberthreats, specifically for B2B or B2C applications, are continuously rising. End-to-end DevSecOps pipelines include integration at all security phases of SAST, SCA, DAST, RASP, and/or IAST in a no-touch fashion. Tool vendors offer easy CLI- and API-based integration capabilities for greenfield applications. Existing applications are more complex, so scans should be run outside the pipeline or nightly batches, and custom scripts should be used to reduce false positives. Once the scans are performed to remove the huge backlog of issues, these tools are integrated into the pipeline. Many promising tools include features that improve integration, such as incremental scanning capabilities to reduce scan time and AI-based tools to identify false positives and automate issue remediation. Docker tools also incorporate container security into the CI/CD pipelines.

An industry leader in brokerage and wealth management experienced a bottleneck in its underlying network of shared services. Due to manual security testing, it could not achieve an early time to market for end-user applications. The client partnered with Infosys to implement an end-to-end DevSecOps solution to improve speed and quality. Now it has reduced release management effort by around 88%, quadrupled the release frequency, and saved $3.3 million annually.

Security and policy compliance

Trend 4: Codification of security and privacy controls enables a shift left

Businesses are looking at reusable frameworks and centralized DevSecOps platforms to successfully scale its adoption enterprise wide. By implementing a consolidated security dashboard in the pipeline, they collect defects across all types of security testing tools, including SAST, SCA, and DAST. With mature DevSecOps implementations, businesses are also defining metrics and setting up thresholds. The availability of SaaS-based security testing tools is encouraging DevSecOps adoption, which reduces the load on underlying infrastructure and efforts to maintain tools. Open-source tools help reduce cost concerns attributed to several licenses needed for enterprise-scale adoption. Enterprises are implementing organizational change management tactics such as enabling secure coding practices for developers, changing mindset, and integrating security as a part of requirements and NFRs. Empowering DevOps teams on security aspects also reduces the additional load faced by current security SMEs due to frequent releases of fast-moving applications. Increased trust and collaboration between security SMEs and application teams also help here.

A large telecommunications provider was facing estimated fraud losses of $490 million per year, which was expected to increase by nearly 38%. The client, in partnership with Infosys, adopted a holistic people, process, and technology approach, and implemented enterprise-scale DevSecOps for over 1,000 applications. This increased feature delivery by 40% and eliminated almost $1 million in fraud losses within the first seven months of implementation.