2018.11.22
World-First System Development Cloud for DevSecOps
-- NTT COMWARE's new service for DevSecOps/Cloud IDE on SmartCloud DevaaS® 2.0 --
NTT COMWARE CORPORATION (Head office: Minato-ku, Tokyo; President: Satoshi Kurishima, hereinafter NTT COMWARE) will start a service to support "SmartCloud DevaaS® 2.0", the system development cloud service to support corporate customers' DevOps in the fourth quarter of FY2018. This is for a service to DevSecOps*1to realize a time-efficient and secure system development cycle, as well as the cloud IDE. The new service includes world-first IT security functions interlinked with DevOps tool chains and real-time automatic analysis/diagnosis by the Web browser-based IDE*2 for digital transformation of corporate customers.
1. Background
Although DevOps and Agile are recently beginning to be popular, IT security-related problems such as vulnerability of application developments are becoming more complicated and increasing with shorter release cycles. This is partly due to the fact that the IT security process remains obsolete compared to rapid development cycles such as DevOps and Agile. For instance, if an IT security team hands over the source codes and applications that they have developed to a development team to diagnose their vulnerability, it may take several days not only for linking the data but also extra man-hours for diagnoses, which may cause a delay in release of the system. Therefore, it becomes more important to realize "Shift Left Security"*3 to identify and eliminate security-related risks earlier and increase the speed of the entire systems development cycle."SmartCloud DevaaS® 2.0 ("DevaaS® 2.0")", a cloud environment for systems development, and the add-on function of securities on the existing CI/CD platform, will be available for DevSecOps cycles in March 2019.
In addition, with recent trends in the change of work styles (with the Japanese government-led policy to reform work styles) and increase in the speed in business, systems development environments have become diversified, including the locations and personal computers for systems development, which requires a new system development environment to enable developers to start working in a flexible and speedy manner. Under these circumstances, NTT COMWARE starts the service of Cloud IDE, the integrated systems development of the next generation with "DevaaS® 2.0" in December 2018.
[The systems development cycles with or without DevSecOps]
2. Outline of New Functions
(1) Support for DevSecOps (the security diagnosis tool)"DevaaS® 2.0" has a security diagnostic tool linked to CI/CD platforms (hereinafter SAST/IAST *4) to apply the DevSecOps cycles to automate security analysis/diagnosis in the development cycles.
By collaborating with CI/CD tools such as Jenkins and Git which are currently being provided, we have adopted SAST/IAST, which can shift while automating the security process and discover vulnerabilities with more real time property in the development process.
SAST/IAST allow developers themselves to diagnose what was outsourced to the security team, which contributes to shortening the development period.
(2) Cloud IDE
In addition to the thin client-type terminals currently available as one of the product lineups for development environments, Cloud IDE, the integrated development environment, will be available for Web browser-based systems development environments for "DevaaS® 2.0" based on the OSS product Eclipse Che. This enables developers to quickly start their systems development in a location free environment and to manage any change of situations of human resources such as a sudden increase or decrease of developers by managing all the settings information on the cloud environment.
3. Schedule
(1) DevSecOps related (the security diagnostic tool (SAST/IAST)): March 22, 2019(2) Cloud IDE: December 21, 2018
4. Future Scenario
NTTCOMWARE plans to provide a new commercial cloud environment "SmartCloud® Duo" in April 2019 to further promote DevOps for corporate users. "SmartCloud® Duo" is scheduled to offer various services supporting cloud-native enterprise businesses as a container-type orchestration service linked with Red Hat OpenShift. This is a one-stop service of the DevOps cycle by combining with "DevaaS® 2.0," a commercial cloud environment, and that seamlessly links with "DevaaS® 2.0" as a cloud service to support digital transformation of corporate users.
[SmartCloud® Duo services]
[Terminology]
*1: DevSecOps: A scheme to reduce revision costs to allow developers and operators to dynamically detect vulnerabilities in the previous process in the systems development workflow of DevSecOps.
*2: IDE (Integrated Development Environment): an environment with necessary functions for systems development including code editor, debugger, file manager, Git, FTP and SFTP client.
*3: Shift left: A mechanism that minimizes negative impacts in the subsequent process of systems development by transferring the time axis of the entire development process to the left by accelerating the process that was being implemented in the post development stage.
*4: SAST/IAST:
** SAST (Static Application Security Testing)
A hybrid inspection combining SAST and DAST (Dynamic Application Security Testing) to perform static analyses of source codes using the check tool to detect the vulnerability of the source codes.
** IAST (Interactive Application Security Testing)
A hybrid-type inspection combining SAST and DAST (Dynamic Application Security Testing) to achieve a comprehensive and efficient inspection process.
* It is a world-first comprehensive service to provide an IAST service on systems development environments in the cloud.
* "SmartCloud (Smart Cloud)", "SmartCloud" logo, "DevaaS", "DataSkywalker" are registered trademarks of NTT COMWARE CORPORATION.
* Enterprise Cloud and Enterprise Cloud logo are registered trademarks of NTT Communications Corporation.
* Azure is a registered trademark or a trademark of Microsoft Corporation USA in the United States and other countries.
* Red Hat and OpenShift are trademarks of Red Hat, Inc. in the United States and other countries.
* AWS is a registered trademark or trademark of Amazon.com, Inc. or its affiliate companies in the United States and/or other countries.
* Jenkins logo is licensed under the Creative Commons Attribution-ShareAlike 3.0 Unported License. (Https://jenkins.io/)
* Jenkins is a registered trademark of SOFTWARE IN PUBLIC INTEREST, INC.
* Git is a registered trademark of Software Freedom Conservancy, Inc.
* Docker is a trademark or registered trademark of Docker, Inc. in the United States and other countries.
* Eclipse is a registered trademark of the Eclipse Foundation and its subsidiaries and affiliate companies in the United States and other countries.
* Other company names, product names and service names are trademarks or registered trademarks of each company.
