Challenges and Opportunities for Security Assurance in DevOps

Introduction

The digital world is a vital playing field in this era of innovation and business transformation. Meeting market demands requires a continuous change to digital platforms. The speed with which we deliver these changes is detrimental for the competitive advantage of an organisation. To satisfy the demand for speed and agility new ways of organising work are explored and gaining in popularity rapidly. As software becomes an integral element of business growth, the focus on fast delivery of features with a tangible business value has increased. Organisations want the ability to seize opportunities without being stopped in their tracks.

Increasing pressure from regulators and a decreasing tolerance for security breaches by customers are reducing the risk appetite of key stakeholders and investors. We can only achieve business value if we can do so reliably and securely. This reduced risk appetite leads to increasing attention for secure business value creation.

The challenge which presents itself is increasing the security characteristics of our digital platforms without sacrificing speed and agility. The security industry often states that rapid change increases security risk. This does not necessarily hold true as security itself benefits from the ability to implement changes quickly. It allows a system to react to newly discovered vulnerabilities and the ever-changing threat landscape. What we consider secure today may not necessarily be the case tomorrow. The only way to safeguard business value is through rapid change.

The outcome of this research aims to provide a framework of validated security activities for DevSecOps environments ranked by their characteristics to improve security without sacrificing speed and agility. This framework allows organisations to build a “lean” approach to security.

This part of the book provides an overview of the drivers and approach for the research project.