The main difficulty in implementing secure development practices
Posted: Thu Jan 23, 2025 3:46 am
According to Evgeny Kalashnikov, head of the DevOps product portfolio at the Sfera platform (T1 Digital LLC), DevSecOps is actively used by all types of companies, including commercial software vendors, custom development companies, and internal developers. However, due to its specific nature, the most active users of DevSecOps are companies that work with confidential information - financial organizations, government agencies, and large corporations.
Leading information belgium whatsapp resource security consultant at Aktiv-soft JSC (AKTIV.CONSULTING) Alexander Moiseev identified such categories of developers as vendors of information security solutions (which are then certified in the FSTEC of Russia system), suppliers of solutions for the financial industry, as well as organizations that have high-load solutions - various marketplaces, fintech, retail. "The maturity of information security of these organizations often allows them to implement these processes, staff the internal staff of developers and security with the necessary specialists, and implement the necessary tools without any regulatory requirements," he believes.
as Vseslav Solenik stated, citing personal experience, is that business, as the end customer, is not always interested in the quality of the code and therefore tends to view the implementation of some additional systems and processes, including DevSecOps, as a burden. Moreover, such projects are usually long-term: according to the assessment of the head of the secure development department of SolidLab LLC, Valery Kuvaev, the work will take at least a year.
"Problems with understanding on the part of business are now less involved, since business is extremely interested in the implementation of DevSecOps tools and the security of end products," counters Evgeny Kalashnikov.
Another difficulty in the course of projects, the participants of the discussion named the establishment of communications between the development teams and information security. According to Vseslav Solenik, this is expressed primarily in the fact that information security specialists, having found one or another problem in the security of the application, cannot convey to the developers possible ways to resolve it. According to Evgeny Kalashnikov, it is the personnel problem and difficulties with communication that are the most serious obstacles in the course of DevSecOps implementation projects.
Dmitry Khomutov, Director of Ideco LLC, sees a whole range of obstacles: "Insufficient knowledge about security and DevSecOps is today the main problem of the effective implementation of this technology in Russian business practice. Entrepreneurs may not see the need to integrate security into development and consider it as additional complexity and costs. To solve the problem, in our opinion, it is important to provide employees with educational materials that will help them understand the benefits and importance of DevSecOps, as well as examples of organizations that have successfully implemented DevSecOps to show how valuable it can be for business. In addition, the implementation of DevSecOps requires specialists with knowledge and skills not only in the field of development, but also in the field of information security. However, such employees can be rare and expensive resources. An important point is the degree of communication between information security and developers. The speed of
Leading information belgium whatsapp resource security consultant at Aktiv-soft JSC (AKTIV.CONSULTING) Alexander Moiseev identified such categories of developers as vendors of information security solutions (which are then certified in the FSTEC of Russia system), suppliers of solutions for the financial industry, as well as organizations that have high-load solutions - various marketplaces, fintech, retail. "The maturity of information security of these organizations often allows them to implement these processes, staff the internal staff of developers and security with the necessary specialists, and implement the necessary tools without any regulatory requirements," he believes.
as Vseslav Solenik stated, citing personal experience, is that business, as the end customer, is not always interested in the quality of the code and therefore tends to view the implementation of some additional systems and processes, including DevSecOps, as a burden. Moreover, such projects are usually long-term: according to the assessment of the head of the secure development department of SolidLab LLC, Valery Kuvaev, the work will take at least a year.
"Problems with understanding on the part of business are now less involved, since business is extremely interested in the implementation of DevSecOps tools and the security of end products," counters Evgeny Kalashnikov.
Another difficulty in the course of projects, the participants of the discussion named the establishment of communications between the development teams and information security. According to Vseslav Solenik, this is expressed primarily in the fact that information security specialists, having found one or another problem in the security of the application, cannot convey to the developers possible ways to resolve it. According to Evgeny Kalashnikov, it is the personnel problem and difficulties with communication that are the most serious obstacles in the course of DevSecOps implementation projects.
Dmitry Khomutov, Director of Ideco LLC, sees a whole range of obstacles: "Insufficient knowledge about security and DevSecOps is today the main problem of the effective implementation of this technology in Russian business practice. Entrepreneurs may not see the need to integrate security into development and consider it as additional complexity and costs. To solve the problem, in our opinion, it is important to provide employees with educational materials that will help them understand the benefits and importance of DevSecOps, as well as examples of organizations that have successfully implemented DevSecOps to show how valuable it can be for business. In addition, the implementation of DevSecOps requires specialists with knowledge and skills not only in the field of development, but also in the field of information security. However, such employees can be rare and expensive resources. An important point is the degree of communication between information security and developers. The speed of