Information security programmes, traditionally implemented with a waterfall approach, need to evolve to support the growing DevOps movement.

This is according to Tammy Naicker, executive head of department: Group Technology Governance & Assurance at Vodacom, who was speaking at the ITWeb Security Summit 2019 in Johannesburg this week. She was presenting a DevSecOps case study, sharing how Vodacom implemented security into the different stages of the software development lifecycle.

“Technology is becoming a competitive advantage and we have to evolve beyond the traditional ways of doing things,” she said. “Customers now want their evolving needs to be met on a 24/7 basis. They want constantly improving experiences, and they want products and services to be released faster than ever before. But they also expect these products and services to be secure. That’s a lot to ask from traditional technology teams.”

“To meet changing market needs, DevOps is coming, and if it’s not done right and in a secure manner, it will cause chaos in the organisation,” she said.

“DevOps is agile and ultimately gets better products and services to the customer in record time, but you can’t afford to overlook security and compliance. In an environment where you’re developing faster and coding more, there is a risk of loopholes and attacks, so you need to be thinking about cyber security and information security, internal threats and compliance.”

“If you’ve adopted a DevOps model, you need to be thinking of DevSecOps and creating a security as a code culture. Look to create code that is as secure as possible, test it, release it into the environment and then monitor it while it’s live to ensure that throughout the process you’re thinking about security.”

In this evolving environment, security testing needs to be automated and developers need continuous security training, she said. “It all starts with the culture of the organisation, driven from the top,” said Naicker.