As IT departments attempt to get to grips with a rapidly changing risk landscape, many are moving towards a development, security and operations (DevSecOps) approach to application development and security. Rather than application security being an afterthought at the end of the development pipeline, it is being integrated into the application lifecycle from the very start.
This shift from traditionally siloed ways of working to one of collaboration and mutual understanding involves significant cultural change.
Technologists need to leave behind entrenched mindsets and processes and embrace collaboration. They need to adopt new tools and technologies to manage expanding attack surfaces caused by the shift to cloud-native technologies, leaning on artificial intelligence (AI) and automation to accelerate remediation, boost response accuracy and deliver the line of sight into apps that support secure and well-performing applications.
But perhaps most importantly, as the DevSecOps approach becomes the norm within IT departments in all industries, technologists will have to expand their knowledge and skills in other areas of IT to prosper. Besides developing new specialist skills within their discipline to support the shift to modern application stacks, they will also need to develop a greater understanding of other functions within the IT department to work effectively as part of a cross-discipline team.
Technologists will need to become both specialists and generalists to succeed.
A siloed approach to app security exposes risk and threatens innovation
See also: Keys to achieving human-centred automation testing
According to The shift to a security approach for the full application stack report by Cisco AppDynamics, 100% of technologists in Singapore admit that the rush to rapidly innovate and respond to the changing needs of customers and users during the pandemic has come at the expense of robust application security during software development.
Rapid cloud adoption and the availability of low-code and no-code platforms have enabled developers to accelerate release velocity and build more dynamic applications across more platforms.
But widespread adoption of multi-cloud environments means that application components are increasingly running on a mix of platforms and on-premise databases, which exposes visibility gaps and dramatically increases the risk of a security event. Indeed, the research finds that 87% of technologists in Singapore are now concerned that their organisation is vulnerable to a multi-staged security attack that would affect the full application stack.
See also: Human element still important for effective mass communication
New cybersecurity threats are exposing the flaws in traditional approaches to application security, and in particular, the lack of input that security has had into the application development process. In many organisations, there is little, if any, ongoing collaboration between the developer and security teams — they only engage when a security issue has already arisen.
The cultural shift to DevSecOps
Recognising the need for a new approach to application security, IT departments are moving towards a DevSecOps approach, where security and compliance testing are incorporated into the software development lifecycle from the very outset.
By taking this approach, developers can embed robust security into every line of code, resulting in more secure applications and easier security management, before, during and after release.
The research finds that 85% of technologists in Singapore now regard a DevSecOps approach as critical for organisations to effectively protect against a multi-staged security attack on the full application stack. And many IT departments are already making the shift — 37% have already started taking a DevSecOps approach, and a further 58% are considering it.
DevSecOps is enabled through security automation, which integrates security gates throughout development without slowing down the process, and AI and machine learning technologies to identify gaps, predict vulnerabilities and automate processes to remediate any security holes.
For IT departments, DevSecOps involves wholesale cultural change. Technologists need to become less sceptical or suspicious of other teams and more open and transparent about the work that they do. They need to embrace new ways of working based on collaboration, mutual understanding and recognition.
To stay ahead of the latest tech trends, click here for DigitalEdge Section
The generalist-specialist technologist
Critically, organisations need to ensure they have the right skills within the IT department to be able to manage application security against constantly evolving and ever more sophisticated threats.
Security professionals need the skills (and visibility) to detect and resolve issues across the technology stack, including cloud-native microservices, Kubernetes containers, multi-cloud environments, or mainframe data centres.
As with so many areas relating to cloud-native technologies, application security skills are becoming a huge challenge. In fact, 81% of technologists in Singapore report that a lack of application security skills and resources is now an issue for their organisation.
Less than half of technologists feel fully confident that they have the necessary skills to manage the application security threats their organisation currently faces. IT leaders will be urgently looking to recruit and develop these skills over the coming months.
But as well as specialist skills, technologists will also need to improve their understanding of other areas of IT. The shift to a DevSecOps approach requires all technologists — whether they are DevOps, ITOps, SecOps or site reliability engineers — to broaden their skill sets to be able to work effectively as part of an integrated application team. So, security professionals must develop new skills and a greater understanding of application development, while developers need to become more knowledgeable about security.
Interestingly, the research indicates that technologists are aware of this need to pursue a dual approach to upskilling. Nearly nine in 10 (87%) believe that successful modern technologists are those who can be both specialists in their particular field but generalists across other areas of the technology stack.
For technologists, the shift to DevSecOps may initially take them outside their comfort zone, but they should feel positive and excited about the change. It presents an opportunity to try new ways of working, make new connections and expand their knowledge.
Those who embrace the change and focus on developing both their specialist and generalist skills will set themselves up to thrive in this new cloud-native environment.
Simon Pearce is the CTO adviser for APJC at Cisco AppDynamics