Nick Wu is the Product Development Director at Xcalibyte, responsible for internal DevOps and post-sales technical support & services.
Q：’DevSecOps’ (Development Security Operations), evolved from “DevOps” and in the past few years has become a hot topic for developers in China. What impact does “DevSecOps” bring to software development?
A： DevOps is the abbreviation of “Development and Operations”. Under the concept of DevOps, software developers, and operations and maintenance staff work closely together. With the accelerated development of the Internet industry and the popularity of agile development models, DevOps, has been widely welcomed by organisations. However, the shortening of the software development cycle also brings some drawbacks. The long development cycle in the past provided sufficient time to ensure the stability and security of the software through thorough testing. In recent years, the agile development model has become popular, and the development cycle has been shortened, resulting in an increasing number of software security issues brought about by poor code reviews and insufficient testing.
Many companies have already realized the importance of security and the catastrophic consequences of not paying attention to it. They have started to prioritize it and the new concept of ‘DevSecOps’, which integrates security into DevOps in the early stages of software development, is being universally adopted. To integrate Sec into DevOps, all team members need to have a security mindset.
Q：Application Security Testing (AST) is a major part of DevSecOps activities. Could you explain the importance of AST in “DevSecOps”?
A：The implementation of DevSecOps often encounters great resistance. This is because the steps of ‘Sec’ are contradictory to the original intention of DevOps. The main purpose of DevOps practice is to shorten development times. The security checking requirements means extra time-consumption, which is contrary to the original intention of DevOps agile development for “fast” delivery.
AST includes Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST) and Interactive Application Security Testing (IAST). Xcalibyte currently provides SAST tools, with IAST in the pipeline. SAST is highly relevant for DevSecOps. Developers can use SAST tools for ‘shift-left’ testing where defect detection and remediation starts earlier in the development process during the coding phase. This significantly improves the accuracy and efficiency of code testing whilst reducing costs, resource and time. The most important requirements of a SAST tool are speed and accuracy. Compared with competing products, these are where Xcalibyte’s tools excel.
Q：Why is DevSecOps gaining such momentum and what are the new requirements over using traditional DevOps?
A：The concept of “secure production” has already penetrated many traditional industries such as manufacturing or automobile, but this has just begun in the software industry. In the past, when educating developers on basic programming in China, security issues were not paid enough attention to. Because of this absence of ‘security thinking’, many small companies only consider how to deliver products quickly and ignore security issues. This has also led to the frequent occurrence of security issues with domestic software applications including those of Internet giants that deliver services overseas. Ignoring these issues has made more organisations realize the importance of security and many of them are now making up for their poor focus as they pay off their technical debt.
The Sec in DevSecOps is the security process. Security concepts and activities must be strictly implemented in DevOps, such as regular security training and proactive/ reactive methodologies by technology teams. Software code quality determines and affects security issues. In order to improve the efficiency and quality of product development, intervention and prevention can be carried out at the early stage of software development, and tools can be used to improve the efficiency of vulnerability detection.
Q：As the product development director at Xcalibyte, what efforts have your team made to understand clients’ needs and to refine the product?
A：In addition to the IT industry, many traditional industries such as utilities and finance, have software security requirements and need to use SAST tools. Our customers come from a wide range of industry categories. When a customer puts forward a requirement, we take a consultative approach by studying and analysing their industry background, needs, pain points as well as their future requirements. We continuously enhance our solution based on customer feedback and for many of them, we provide customized solutions based on our core product. Over time, we will launch industry specific versions of our tools to respond more effectively and efficiently.
Q：You also oversee the post-sales technical support and service. What kind of feedback have you received from clients and can you tell us an example of how your team helped a client after installing your solution?
A：Customers recognize our ability to solve problems quickly and effectively. As a nimble startup with offices in Beijing, Shanghai, Shenzhen, and Hong Kong, we are able to respond very quickly in the domestic market compared to overseas competitors.
For example, one of our customers, a large IoT company in China, told us of their requirement to start shift-left testing. Rather than simply helping the client implement our tools, we helped them set up a process for adopting a shift-left approach. As we have people on the ground that can travel to different locations in China, we are able to work within timelines that are highly acceptable and appreciated by our clients. We are now engaged with customer for additional AppSec consulting projects including training workshops.
Q：What attracted you to join Xcalibyte?
A： In actual fact, I have known two of the co-founders for a long time. During my postgraduate degree, I worked with both Mr. Shin-Ming Liu, Chief Architect and Mr. Sun Chen, CTO. The work they have done is extraordinary. At present in China, there are very few people capable of doing work in low level software development. We make development tools for software developers so you can imagine how advanced the technical requirements are. It is an important opportunity for us to help domestic industries fill up big gaps in the field of software development. The complexity of the challenge was something that really attracted me.
Q：We saw that you are hiring new staff. What would you say are the qualifications for your future teammates?
A：We attach great importance to talent, and we are eager to find suitable and like-minded people. I often read about the perspective of industry leaders such as Lei Jun and Zhang Yiming about hiring talent which is quite similar to our own. We expect people to have the ability to continue learning independently and have the spirit to take on difficult challenges. Taking the initiative and accepting responsibility are other traits we look for.
As a small startup, each and every person bears considerable responsibility for delivering our product to market and we have to rely on everyone being proactive in problem-solving.
Q：What’s the company culture like at Xcalibyte?
A：I’d say it’s similar to the atmosphere of many Internet companies and Silicon Valley technology companies. The organisation structure is very flat, free and flexible. When team members have new ideas, they can directly communicate with the decision makers. In addition, after completing the tasks within the scope of our duties, we are also keen to help colleagues or to accomplish technical challenges that interest us on a personal level.
Q: Any final thoughts that you’d like to add?
A: I cannot stress enough the importance of addressing security needs in your software applications and DevSecOps is already the norm in Western markets. It is imperative that all companies and developers in the domestic market embrace it to ensure we deliver high quality and secure products.