31 May 2021
Why DevSecOps over Devops ?
4 mins read

InfoSec and Cybersecurity are not just jargons anymore. Every industry is behind digitization which is inevitably connected or exposed through an external network. Questions started to be inscribed on not just the minds of technocrats but the business owners as “if my application data travels through unknown territories, being a technology provider how can you ensure security for my application and data?”.

Being a technologist, the news of security breaches, ransomwares etc become a day to day affair for IT department to deal with.The cybersecurity threat space is indeed alarming and growing rapidly. The cybersecurity solution space is struggling to keep up with the enormous amount of money being spent on expensive cyber security solutions. After all, 100% security still remains a concept far from the reality. My point here is, just like any other part of software development, security should also be a prime point that needs evaluation and scrutiny in every phase of the project since planning.

Having developed and shipped numerous solutions for our clients in various industries, Flycatch believes a concrete security framework is pivotal across the board. Our experience in dealing with the cyber security worries of our clients leads us to rethink and provide a security perspective from the inception of the project.

What we have observerved :

The industry has long underestimated the problem of cybersecurity, which has resulted in solutions that do not sufficiently stand up to the cybersecurity threat space. We have seen many applications developed with 

  • Use of unstable software versions open to vulnerabilities.
  • The loosely coupled integration with external systems.
  • Improper infra management, patching and environment upgrade mechanism in place.
  • Immature system design with zero consideration for security.
  • Absolute zero data transfer mechanism in place.
  • Lack of documentation or communication matrix.
  • Applications with Open Database accessibility that can be an easy road to severe database threats.
  • Lack of cybersecurity awareness or reasonable knowledge resources available to manage the system.
  • Finally no clear ownership of end to end application communication.

Flycatch’s Approach

Every client Flycatch deal with, we try to create a security mindset right at the onset of planning, development, QA and operations.The security mindset brings, parameters conventionally not considered for solutions. This creates a larger space for business and technology to think of wider and comprehensive solutions. This alleviates a lot of questions that may arise in the mind of the client which would bother them for long.

Project plan with ample slot to discuss and formulate security issues and solutions:- We haven't ever seen a project plan exclusively with line items to discuss the security requirements of the solution nor a design effort to have the security prep of the application.

Make best use of security features in cloud platforms:- Most public cloud service providers out there in the market are equipped with the best in class security measures in the form of managed services. Leveraging the same in the right proportion and scale would be suffice to secure the application. The expensive nature of such managed services turn down the small and medium players in turn to try out other solutions such as virtual private cloud mostly align with their budget.

Discipline in segregation of application touch points:- Microservice based architecture helps the design to be very specific and segregated nowadays. Restricting the access of certain services to specific data objects and absolute segregation of databases from the outside world except through the API layer makes it quite difficult for the hacker to reach the data.

Controlled proxy for incoming and outgoing traffic and application integration:- Trusted connection from whitelisted origin of request, and sending back information encrypted should be a design and coding principle for the application. Further defined schema’s designated for certain services will give additional security and provide a small percentage of data to be exposed even if in case of a breach. Still we need to believe we are living in an era where things are ever changing and no one can guarantee 100% safe IT solutions.

Virtual firewall is the other major service we most leverage being in a private cloud infrastructure. The permutation and combination of the rules and permissions comes under the service indeed helps us precisely define the accessible and inaccessible. 

Credential Management:- Multi Factor authentication is one of the industry proven mechanisms of providing best security cover for your application. Complex password policy will reinforce the security provisions.

Decision on best fit infra for your needs:- Over the cost factor, the sustenance of the business sometimes depends on the business governance or regulatory compliance requirements. In such cases  I have noticed that the private cloud computing model is best for businesses with dynamic or unpredictable computing needs that require direct control over their environments and easy to manage your infra and application to comply with the regulatory and compliance checklists.

With immense wisdom and exposure enriched with many solution implementations, Flycatch is already in the move to ensure our clients are aware of the prime importance of Security should be one of the inevitable parameters of project formulation and execution. Our solutions are not just DevOps centric anymore, it will be DevSecOps . We strongly believe DevSecOps is going to be the game changer in eliminating the gaps between security problem space and business solution space; an attempt to reinforce the trust between solution provider and business

Written by
Liju Kuriakose
Subscribe to Our Articles
Subscribe to Our Articles
We're committed to your privacy. Flycatch uses the information you provide to us to contact you about our relevant content, products, and services. You may unsubscribe from these communications at any time.
Related Articles