Detection of unauthorised changes in the DevSecOps pipeline

Nov 10, 2020

I was delighted and honoured by the opportunity of being a subject matter expert for Experian’s global DevSecOps transformation initiative. Experian delivers much of our $5.2 billion revenue through this channel, through thousands of applications. It’s an absolute privilege to be part of the strategic initiative to transform and improve how software is developed at Experian.

Software, together with connected infrastructure or cloud services, form the mainstay of digitised services and operations. Regardless of the industry, an organisation’s services and operations will leverage digital services with software at the intersection. The timelines for new software are condensed, whilst quality expectations, including those related to security, have increased. This is where the concept of DevSecOps, an expansion of DevOps, incorporating continuously and incremental security has come to the fore.

And in recognition that many other organisations are undergoing a similar journey, we have done our best in sharing the technical understanding and experiences from our journey through panels and presentations at conferences and meetings. As part of the process of giving back to the community, one query appeared repeatedly from the audience: given DevSecOps encourages frequent, small incremental changes in software development, what tools would you use to detect unauthorised changes within an environment that is expected to have constant change?

Most of the tools used to detect unauthorised changes within environments detect specific signatures or variations within environments. In a situation where frequent incremental changes are encouraged in the case of a DevSecOps development pipeline, the detection of unauthorised changes actually leverages corporate secure software development lifecycle processes, including privileges developers have in the environment. Currently, it is not possible to detect these on a purely automated basis with toolsets. In DevSecOps, it’s always a balance between being able to move at speed and a certain level of assurance for the environment which may impede the development process

Dr. Wendy Ng is a DevSecOps Security Managing Advisor, who’s honed her technical consulting skills through a number of industries: aerospace, healthcare, fintech, telco, transport logistics, and critical national infrastructure. Wendy completed her doctoral studies at the University of Oxford and has contributed to the scientific community through peer-reviewed publications. She has been sharing her experience and expertise, addressing key challenges, in her blogs since 2016.