“As companies automate more and more, they need more security. It’s like riding a motorcycle—the faster you go, the more specialized your safety equipment has to be,” says JJ Alvarez, managing director of Zivra.
These days, data breaches are a matter of when, not if, for companies large and small. Zivra, which helps its clients develop and implement IT transformation strategies, recently shifted focus from DevOps to DevSecOps in response to growing IT security needs among its clients in the US and Latin America.
DevSecOps helps companies integrate security measures as early in the application development life cycle as possible to minimize security risks and vulnerabilities; the term DevSecOps also refers to automating security measures.
Zivra’s DevSecOps offerings are twofold: they help enterprises assess and improve the maturity of their IT processes and tools, and they use their proprietary framework to identify and fill any gaps, whether resources or automation strategy.
“Our customers are now moving at a rapid pace and are often deploying multiple application changes in a day,” Alvarez says. “With this speed comes increased risk that IT will inadvertently introduce security vulnerabilities.”
“With this speed comes increased risk that IT will inadvertently introduce security vulnerabilities.”
To help Zivra deepen its expertise in DevSecOps, it acquired Akyzen in 2019, which provides complementary optimized IT solutions. Both firms are located in Chicago; Zivra has additional offices in Dallas and San Francisco as well as in Mexico, Argentina, and Brazil.
“Akyzen provides secure cloud management solutions with secure remote access to small and medium-sized companies, and that capability was well aligned with the direction Zivra wanted to go,” Alvarez says. “With this acquisition, we’re now able to focus more on managed services, cloud migrations, and secure applications and infrastructure.”
Zivra has already helped several customers, including financial services firms and banks, via its DevSecOps assessment process, helping them uncover hidden security holes in their mobile and web applications. One common issue, Alvarez says, is that while companies are starting to introduce security automation processes early in the software development process, they have failed to go back and check existing applications for security vulnerabilities. “We’re helping them identify those gaps and scan the open source code in their applications,” Alvarez explains.
Although Zivra’s increased focus on DevSecOps has been in the works for months, the COVID-19 pandemic only further highlights the need for companies to step up their security measures, Alvarez says.
“People are increasingly working from home, and businesses are accelerating the migration of their applications and services to the cloud,” he says. “As we all use mobile and web applications these days for activities like grocery shopping, banking, and controlling our home security systems, there’s an increased risk that these applications will expose our personally identifiable information and banking information.
“Many of these security software solutions are just starting to have a presence outside of the US. In essence, we’re helping wave the DevSecOps flag.”
“There’s been a rise in cyber and phishing attacks,” he continues, “so we know cybercriminals are taking advantage of enterprises that may not be enabled to work remotely or haven’t properly invested in security solutions.”
As proof of the emerging need for DevSecOps, Alvarez points to Zivra’s software, cloud, and mobile security partners. “Many of these companies didn’t exist three or four years ago,” he says. “We’re bringing them with us for new clients in the US and Latin America along with other IT automation solutions. Many of these security software solutions are just starting to have a presence outside of the US. In essence, we’re helping wave the DevSecOps flag.”
DevSecOps is still an emerging field, however, and it does bring unique challenges to Zivra’s team. The biggest hurdle, Alvarez says, is the lack of skilled resources and knowledgeable partners.
“Today there is a very limited amount of DevSecOps resources available, specifically resources that focus on application security and that can work with a development team on integrating security automation into the software development process,” he says. “We’re having to not only bring thought leadership, best practices, and technologies but also having to recommend or staff skilled resources that can, in the interim, bring the necessary security expertise to these enterprises.”