Thanks to technologies such as the Internet of Things (IoT),embedded systems, Machine to Machine (M2M)communication, cloud computing we are at the verge of what is considered the fourth industrial revolution. In parallel, hyper connectivity will lead to a tectonic shift in the structure of the current economic system: the passage from a linear value chain, to a non-linear ‘value network.
Smart connected systems or Intelligent systems are the enabling technologies that lie at the heart of this radical transformation to a network-based economy. These Intelligent systems allow the creation of integrated and self-regulating systems beyond firm- or industry boundaries, which are instrumental in the optimization of production processes. The production of intelligent systems -enabled smart factory will be able to react in real-time to changes on the market and in the supply, chain adjusting the flow of goods autonomously.
On the other hand, concerns about security, technical challenges, and the limited understanding of the market from consumer side still represent barriers to a full uptake of this trend. Security represents the number one preoccupation of consumers when they approach remote services, as this entails placing sensitive information on the cloud. The full implementation of Intelligent systems raises several technical challenges, such as interoperability and broadband infrastructure. Policy support to security of Intelligent systems is surely needed in the form of the right framework conditions. This entails establishing provisions for data security and privacy, ensuring interoperability, and fostering a company ecosystem as the next generation marketplace. Also, the support to enter a challenging market, for SMEs and start-ups, will be beneficial to the uptake of the trend.
With all these new technological capabilities becoming available, the attack surface increases as threat agents grow in number and capability. Security breaches are becoming more common and more expensive to fix.
Especially within the rapid accelerating technological trend convergence, security becomes a real concern. Several government and private organizations recognize the urgent need to rethink our software development practices and culture by leveraging the commercial sector for new approaches and best practices. DevSecOps is such a best practice as it enables the delivery of resilient software capability at the speed of relevance, a central theme of software modernization across the industry. DevSecOps is a proven approach widely adopted by commercial industry and is successfully implemented. DevSecOps is a core tenant of software modernization, technology transformation, and advancing an organization’s software development eco system to be more resilient, while ensuring cybersecurity and metrics/feedback are paramount. The DevSecOps software lifecycle approach creates cross-functional teams that unify historically disparate evolutions – development (Dev), cybersecurity (Sec), and operations(Ops). As a unified team they follow Agile principles and embrace a culture that recognizes resilient software is only possible at the intersection of quality, stability, and security
Security has always been a separate silo that defines security requirements and demands for certain security controls to approve new software code. In most cases, security is involved at a later stage when it is expensive to make changes or apply fixes. Thus, it becomes an added layer on top of the application, rather than an integrated part.
DevSecOps is a socio-technical system that integrates development, security, and operations in support of a continuous integration, continuous delivery (CI/CD) environment. DevSecOps promises a high return on investment but requires a significant shift in existing culture, process, and technology. The DevSecOps environment is specifically designed to increase system quality, reduce capability time-to value, and minimize cognitive differences among the developers, securers, operators, and users of mission-critical defense and intelligence community systems. Substantively changing even one of those things in an established organization is difficult. The impact of changing them all may seem impossible, but it has been done with significant success. Clearly, moving your organization down a path to DevSecOps without compromising your existing mission goals and strategic trajectories is a daunting task—one that is different for every organization.
- culture—DevSecOps integrates activities of people with different mental models and responsibilities; this impacts the way the organization communicates and works together. DevSecOps is a no blame culture. “Blame-processing” wastes time and energy; the focus of DevSecOps is on identifying, fixing, and preventing the problem from recurring. DevSecOps culture is transparent; lean and agile practices require sharing information to make decisions at the lowest level and orchestrate the overall flow. DevSecOps culture is efficient, constantly eliminating limited-value work. DevSecOps is integrated, reducing silos and incorporating all of the disciplines (e.g., development, verification and validation/quality assurance, operations, users, managers, finance, procurement) in the team.
- processes and practices—DevSecOps requires processes that support the culture and integrate the development and operations work. organizational changes will likely be needed. organizational structures, work descriptions, responsibilities, reward systems/incentives, vv & a processes, procurement/licensing practices, decision making, and feedback mechanisms are examples of the DevSecOps scope.
- system and architecture—devsecops works most efficiently if the target system is architected to support the devsecops practices. the architecture should support test automation and continuous integration goals; applications should support changes without release (e.g., late binding) and ensure the required -ilities (e.g., scalability, security, reliability).
- automation & measures—while devsecops is primarily about culture, people, and processes, automation is a primary enabler for achieving its benefits. devsecops seeks to automate repetitive and error-prone tasks (e.g., build, testing, deployment, maintaining consistent environments), provide static analysis automation (for architecture health), and enhance communications and transparency through performance dashboards and other radiators.
The benefits of adopting DevSecOps in smart industry include:
- Reduced meantime to production: Reduces the average time it takes from when new software features are required until they are running in production.
- Increased deployment frequency: Increases how often a new release can be deployed into the production environment.
- Decreased mean time to recovery: Decreases the average time it takes to identify and resolve an issue after a production deployment.
- Decreased change-fail rate: Decreases the probability that a new feature delivered in production will result in a failure in operations.
- Fully automated risk management: Well defined control gates perform risk characterization, monitoring, and mitigation as artifacts are released and promoted through every step, from ideation through production.
- Baked-in Cybersecurity: Software updates and patches delivered at the speed of relevance
