Full Text

Software runs our businesses today. It powers operations, transactions, communications—just about every facet of the digital organization. It follows that ensuring the security of applications and operating systems is a major priority for development and security teams. This is where DevSecOps plays a key role.

Development, security, and operations

DevSecOps is short for development, security, and operations. An extension of the devops model for software development, it involves applying security measures throughout the software development life cycle (SDLC). DevSecOps calls for everyone involved in the development process to be aware of the need for security. As a model, DevSecOps encompasses a set of practices to increase collaboration between the security, development, and operations teams, with the goal of making software more secure.

Examples of DevSecOps practices include security design reviews, scanning code for security vulnerabilities, and remediating bugs that present legitimate threats. By introducing security earlier in the SDLC, DevSecOps ensures that the organization takes security seriously rather than treating it as an afterthought. Part of the effort of instituting DevSecOps includes making the necessary process, cultural, and technology changes.

Why DevSecOps matters

Software vulnerabilities can become entry points for cybercriminals to launch attacks, and these attacks can affect entire supply chains. A recent example is a vulnerability discovered in Apache Log4j in late 2021. Log4j, a Java package located in the Java logging systems, makes it easier for Java applications to log data. It is widely used and highly pervasive.

Late last year, engineers discovered a remote code execution flaw in Log4j that lets hackers take control of systems and their data. The bug also...