APAC organizations may miss out on critical aspects in the adoption of open source and DevSecOps  during digital transformation in the pandemic.

Pierluigi Cau, Director of Solutions Engineering, Asia Pacific, GitHub

Despite numerous well-documented case studies on the successful and effective adoption of open source to safely and efficiently develop code, outdated perceptions surrounding security still exist.

As a result, digitalization initiatives are being stalled, hindering the scalability and efficiency of the business. Worse of all, operations face greater cybersecurity risks due to the vulnerabilities of legacy software and systems.

In the aftermath of the COVID-19 pandemic outbreak, CybersecAsia discussed the state of open source adoption and DevSecOps in Asia Pacific with Pierluigi Cau, Director of Solutions Engineering, Asia Pacific, GitHub.

In your opinion, how has the COVID-19 pandemic affected digital transformation among APAC organizations?

Cau: COVID-19 brought a sudden — and global — need for people to shelter in place. The pandemic has also urged many organizations to dramatically accelerate their digital transformation initiatives and support remote work wherever possible. In a distributed, remote world, asynchronous communication, collaboration, and the ability to rapidly deliver value, are key success drivers of any digital transformation initiative and best practices the largest community of over 56 million developers live by.

In terms of impact on developers and businesses, our recent developer productivity report, released as part of the GitHub’s annual State of the Octoverse report, highlights key productivity patterns across the developer community during COVID 19. Our analysis shows that people are resilient to change and developer activity showed a 40 per cent increase in repositories created, with 25 per cent more contributions to open source projects in 2021 compared to last year.

Singapore alone registered an increase in developer productivity of 44.1 per cent, over the past year.

The insights from the report help understand the changing dynamics in terms of developer activity and how developers and organizations can better prepare for potential business disruptions in the future.

Companies that can adapt their processes and procedures—and embrace new ways of working as quickly as their teams—will be resilient, successful, and at the forefront in driving innovation. For developers, preparing for this includes introducing flexible tools and processes to plan and track work, as well as shifting tools to the cloud to provide a superior developer experience.

From your interactions with customers in the region, how have security concerns among APAC business leaders changed with the onset of the pandemic?

Cau: Growth of vulnerabilities in software code is linear with the number of lines of code that people are writing. As the world increasingly transitions to digital, and relies on software to do so, security needs to be top-of-mind for both developers and organizations alike.

Enterprises have traditionally relied heavily on security researchers to uncover, report and fix vulnerabilities in both the code they depend on as well as originating in their own IP. But code security research is a specialist skill and the supply for researchers far outweighs the demand. So much so that security researchers are on average outnumbered 500:1 when compared to developers. Moreover, with the increase in the APAC cybersecurity talent workforce gap, surpassing the two million mark in 2019, it is clear that a change in the approach is needed.

Embracing a developer-first approach and enabling developers to “shift left”, empowers them to identify and fix vulnerabilities as they are discovered, so that they don’t enter the production cycle. By adopting this approach, developers are empowered to continually check for vulnerabilities as part of the development and testing phase.

Forward looking open source development platforms encourage users to take on a collective responsibility when developing and maintaining secure code. Paired with the appropriate tools, developers can leverage automated code scanning technology to uncover and fix vulnerabilities in the early stages of the software development lifecycle, ensuring a seamless transition into production.

Organizations, the developer community and security researchers must come together and commit time, resources and expertise to find and report vulnerabilities in open source code, build new and improved security tooling, and develop secure best practices for everyone.

Are organizations in the region generally taking the right approach to address digital transformation and cybersecurity?

Cau: Organizations are starting to understand that security must be a shared responsibility between developers, security professionals, and business leaders and it is not something that an individual or a company can take on alone. In the same way that open source teams collaborate on shared projects, the only way to effectively combat technical debt with today’s increasing code volume and velocity is to solve security issues, together.

It is estimated that 85% of vulnerabilities in open source are disclosed with a patch already available. But being proactive and successful at addressing software supply chain threats goes beyond patching. With the shift to digital transformation heavily relying on software and the code underpinning it, it is clear that security must be approached as a collaborative effort and one that puts developers first.

By baking security into every step of the development lifecycle and adopting a ‘shift-left’ approach to security, developers are empowered to continually check for vulnerabilities as part of the development and testing phase.

How do open source and DevSecOps help to address these concerns?

Cau: Modern software is built on open source, with 99% of codebases containing open source components. On GitHub alone, 94% of projects rely on open source components, with nearly 700 dependencies.

For organizations, the question is not about how much open source code is being used. It’s about what open source code you’re using. If organizations are not aware of what is in their software supply chain, an upstream vulnerability in any of their dependencies can affect their applications, making them susceptible to potential security exposure. Relatively newer approaches to application security—including DevSecOps and shifting security left—have suggested significant improvements to both traditional and end-to-end security.

Just as developers and operations are both responsible for reliability and quality in DevOps, DevSecOps makes security a team effort, not a final step. Developers, operations, and security teams work together to keep applications secure from the first line of code to final production, by continuously integrating security across your development process. This means shifting security reviews and testing left, enabling security controls earlier on in the development process, so that vulnerabilities are fixed before entering the production cycle.

What are some best practices that APAC enterprises can implement to maintain security during development?

Cau: Following DevSecOps means organizations need to approach security as an ongoing part of software development, baking security in every step of the development cycle. By adopting a ‘shift-left’ approach to security, developers are empowered to continually check for vulnerabilities as part of the development and testing phase.

Understanding dependencies and the risks associated with them, conducting regular checks to remove unnecessary dependencies and monitoring the entire software development supply chain are key steps developers need to take, as they build secure code.

Securing the world’s code is a collective responsibility that requires collaboration from all parties involved in the software development ecosystem. It is critical to combine the skills, expertise and resources of teams, organizations, and individuals that share a common interest in ensuring secure software development.

Securing the world’s code must be a collective effort because a safe and healthy open source community isn’t just good for open source, it benefits the millions of critical technologies that depend on it.