Pivotal touts agile development as way to keep APAC systems secure

The principles behind agile software development can be applied to cybersecurity, in which companies can keep systems more stable by continuously changing their network environment.

Traditionally, in an attempt to keep the infrastructure secure, organisations would try to lock down a data centre and prohibit software changes or new installs because these could introduce new vulnerabilities.

"If you look at where we are today, vulnerabilities are [still] coming continuously, with hackers always discovering new things," said Pivotal CEO Rob Mee. While there were security experts monitoring potential threats, the current landscape was an arms race that was difficult to win and where new threats were constantly emerging.

"So one thing people are looking at now, and what we're doing with our platform is continuously changing the attack surface, so it's harder to penetrate," Mee said in an interview with ZDNet. "You have to move very quickly and change continuously in order to be more stable."

This also was the core principle behind agile software development, which Pivotal had been championing as essential in helping companies remain competitive and enabling them to scale quickly.

The need for enterprise agility surfaced when startups and market disruptors threatened traditional business models and players, fuelling the latter's desire to adopt the same techniques that would allow them to move quickly, be more resilient, change quickly in the face of competition.

This drove the importance of digital transformation and focus on software development approach, primarily because applications were increasingly integral to business operations and needed to be optimised to keep up with market changes and demands.

At the same time, there was wider access to cloud technologies that were becoming more developer-friendly and enabling IT provisioning to be more streamlined.

In adapting agile development to what it called cloud-native security, Pivotal focused on three key principles around "repair", "repave", and "rotate". In a nutshell, these aimed to plug software vulnerabilities as soon as patches were available, constantly rebuild applications and servers to maintain stability, and frequently change user credentials so these were usable only for short periods of time.

In a datacentre environment, for instance, security patches would be tested across different versions of a software component and updated automatically, Mee explained. The flexibility of a cloud-enabled infrastructure also would allow VMs (virtual machines) to be periodically brought down and reconstituted, without affecting the applications running on them, so unknown threats would not be left gestating.

"With these three principles, we're continuously shifting the sand underneath any attack vector so it's harder for them to gain [access]," he said. "In order to be safe, instead of saying don't change everything, we might be moving to a world in which you have to continuously change to be safer. Just like you have to continuously change and move more quickly in order to be more stable."

A recent Forrester survey, however, revealed companies were struggling to determine the value of agile and DevOps practices. The study, which commissioned by Blueprint Software, defined business value as revenue, competitiveness, profitability, and customer acquisition. It found that 50 percent of respondents were finding it difficult to link DevOps activities to business outcomes, with 62 percent using speed to measure the success of such efforts.

According to Mee, organisations faced difficulties coping with agile development because they believed they had to stick to a given recipe or follow a set of commandments.

"The heart of doing development this way is to understand that it's all based on feedback. The way you build applications, technology, and products is that you're continuing getting feedback and continuously improving the product," he noted. "That applies to the method itself. If you're not continuously changing the approach to software development, you're not doing it right."

"There's no bible to doing this. It's a more scientific approach where any assumption today is open to question," Mee said, adding that Pivotal Cloud Foundry itself was built on this model. Launched in 2013, the open source-based software development platform currently was supported by a team of more than 300, including 60 sub-teams.

He added that the vendor currently was working with VMware to integrate Cloud Foundry with the latter's networking virtualisation platform, NSX. Efforts here would further provide opportunities to operate a network foundation based on a specific application topology that could be generated and torn down, he said, noting that this recurring theme of change would continue over the next few years.

Pivotal last year raised US$253 million in a third round in funds, pulling in partners and customers such as Microsoft, GE, and Ford as investors.

When asked, Mee said the investment was raised to "accelerate R&D and go-to-market" efforts, but declined to provide more details on future investment plans.

The vendor in October 2013 opened a facility in Singapore, offering resources and expertise including in data science and agile application development, to help companies testbed their proof-of-concepts. The centre also offered training in big data skillsets under an initiative co-founded by local regulator, IMDA.

Pivotal was unable to provide details on how many professionals the centre had trained over the last four years, but said it still conducted seminars and workshops in data science.