Building a Sustainable Future: The Rising Importance of IT Sustainability

Deloitte’s John Mennel and Brett McCoy explore the growing push for green IT

By Evelyn Hoover

Why DevSecOps Is More Important Now Than Ever

Technologist and IBM Fellow Rosalind Radcliffe advises that a collaborative and automated approach to development is necessary for the future 

By Dava Stewart

Image created with Adobe Firefly

In a world where the increasing use of digital tools and cybersecurity threats continue to grow exponentially, development, security and operations must all be elements of one process—DevSecOps. Rather than being tacked on at the end, effective security is baked into the product from the beginning. This represents a change in more than processes, though. It requires a change in how teams operate and, in most cases, a change in company culture.

You really can’t have security as a separate team try to come in and make something secure after the fact. You have to have security by design.

—Rosalind Radcliffe, IBM Fellow, CTO for IBM CIO Platform Transformation

In an organization with established silos, changing the way teams work and interact with each other can be a challenge, according to Radcliffe. Each team has an idea of what their responsibilities are, and where they stop. Large organizations such as governments have the most brick walls between departments and teams, and Radcliffe observes that it’s easy for developers to say, “That’s not my job,” and simply throw a problem over the wall for a different team to deal with.

Changing those attitudes is sometimes more difficult than any other part of instituting the principles of DevSecOps. “We have to break the concept that it’s somebody else’s responsibility,” says Radcliffe. “You need to have the culture of ownership of this function end-to-end.” Teams need to feel they have the responsibility of building, running, maintaining and securing the end product.

Radcliffe notes that when developers have more responsibility for running systems, they tend to provide better logging and error checking. “You actually end up with better developers because they care more about the product. There’s no throwing it over the wall.” When developers are responsible for security, they make sure the right firewalls are in place, ports are closed and overall functionality improves.

According to a Gartner survey:

0

%

50% of organizations had already implemented DevSecOps

0

%

30% are in the process of implementing DevSecOps

0

%

10% reported it’s in the plans

1%

1% do not plan to implement DevSecOps

SPONSORED CONTENT

Know Your Legacy: Jumpstart

Legacy applications usually have a bad reputation. But behind the seemingly old and dusty code is a legacy that is usually more valuable than initially assumed. What you really have in your inventory, you will realize when you want to get rid of legacy. But what makes an application a legacy application? eXplain and our consultancy services are your key to get the truth perspective! 

Get inspired: eXplain YouTube video 

 Opens in a new window.
eXplain and our consultancy services are your key to get the truth perspective! 

Learn more: Download our white paper 

 Opens in a new window.
Download our brand new white paper to get a detailed insight into how eXplain can support your transformation projects.

Try for free: Request a demo session

eXplain and our consultancy services are your key to get the truth perspective! 

The true benefit [of DevSecOps] is more security at lower cost.

—Rosalind Radcliffe

Putting Together a DevSecOps Team

In most organizations the security team is smaller than others, so it’s not possible to assign one security expert to each team of developers. Instead, making security a part of the overall development process means training developers to include security. “The reality is you can’t train people fast enough,” says Radcliffe, so the solution is a focus on common pipeline platform capabilities from an automation standpoint.

For example, a company could create a secure build process that everyone uses. They have their own particular build scripts, but there’s a secure build process so that everyone doesn’t have to build it from scratch. Similarly, a centralized mechanism for purchasing licenses prevents everyone from needing to spend the time and resources evaluating tools and buying licenses.

“Having a developer platform, a pipeline provided to all the teams so that they can focus on the security of their app and not all the other process pieces is critical,” says Radcliffe.

Using the principles and processes of DevSecOps doesn’t mean organizations no longer need dedicated security professionals, either. “The true security experts should be focused on things that are less normal,” says Radcliffe. “Like malicious testing, or the boundary of the organization.” Reviewing every app, checking all the boxes and all the other routine steps involved in making sure a product is secure belongs to the developers.

Regardless of the industry, the size of the company or other factors, moving from a siloed approach to development, security, Q&A testing and so on, to an integrated approach where developers have more responsibility for the end product results in improved efficiency and efficacy, and more security. Beginning with the principle, “It’s got to be secure,” means problems are eliminated before they exist, so it’s unnecessary to go back and fix them later. 

Thinking of DevSecOps like preventive healthcare may be useful. Junk food seems cheaper at a glance, and not paying for a gym membership or sports equipment costs less than paying for them. Yet, the cascade of potential health issues resulting from poor nutrition and lack of physical exercise is costly and often leads to a poorer overall quality of life.

AI and the Future of DevSecOps

The future of so many elements of IT is inextricably linked to AI, and DevSecOps is no different. Three considerations when it comes to DevSecOps and AI include ethical use of a new technology, automation and security. 

“People need to bring AI into their pipelines and into their secure development processes to make sure they’re as secure as everything else,” says Radcliffe. At the same time, she adds, “They have to be very careful about what they are looking at.”

Regardless of the model, whether it’s Copilot, watsonx Code Assistant, ChatGPT or something else, organizations need to pay attention to how the models are trained and, equally importantly, what the AI tools produce. “We’re in this interesting transition and we have to be very careful that we don’t just trust, we have to verify and put extra checks in place,” advises Radcliffe. 

Automation of processes is one of the keys to breaking silos and increasing collaboration. AI enables automation, and Radcliffe expects increasing capabilities. One example is in the reuse of code. If an organization has a piece of code that they created, that works well, reusing it makes sense. “Right now, developers cut and paste anyway,” she says. If teams could, instead, provide AI with the best instance and let it look through the code base to find what they company has already built, teams will build less code, but more capability and more real business value.

“The other thing is AI is going to make security even harder,” says Radcliffe. It’s going to make fakes more often, and problems are going to be harder to identify. In a never-ending circle, developers are going to need AI to counter AI. Ultimately, AI will “help developers and processes become better, to counter the fact that bad actors are going to use them to do the bad side of everything,” she adds. 

No matter what it’s called, the transformation of breaking down silos, using automation, improving efficiency and eliminating redundancy so that the same tasks are done repeatedly, offers enormous value. Moving forward into a collaboration environment and driving ownership are keys to the future. “We can’t go backwards,” says Radcliffe. “The improvement is what matters.

Rosalind Radcliffe
IBM
Rosalind is the CTO for the platform that supports all of IBM's internal business processing, driving the efforts for the true hybrid cloud and infusing AI into all of IBM's internal operations. This includes providing the developer platform and CI/CD pipeline for applications across the CIO. She is driving the Client 0 adoption of IBM technology by partnering with IBM product teams and research to transform, standardize and automate the processes, tools and methodologies that make IBM the most secure, agile, efficient and automated hybrid cloud engineering organization. She is a frequent speaker at conferences, a master inventor and the author of “Enterprise Bug Busting.”
Share this article
Share this article