Taking a proactive security approach with DevSecOps and Security by Design. Takeaways from the Users-Only Beltug X-change of 11 June 2020


When building an infrastructure, we of course want it to be as free of vulnerabilities and as immune to cybercrime as possible. In a world with technologies such as edge computing and IoT, one approach to achieving this immunity can be found in 'Security by Design'.


During this virtual session, we first heard Greenyard’s take on the concept, then we had an open discussion for our members' insights, questions and experiences. To ensure an uninhibited discussion, this X-change was open to digital technology users only (not providers).


The presentations from this X-change, and a link to the recording of the event, are available for our members (after log-in).


Case: Security by Design: beyond the code


Johan Stronkhorst, Group ICT Security Manager at Greenyard, opened the event and set the scene. Greenyard is a global B2B company, mostly supplying the retail market in Western Europe.


As cyber-attack paths are constantly changing, Greenyard believes fresh approaches are always necessary. Johan shared some new trends:


  • ‘Island hopping’: an attack that undermines a company's cyber defences by going after its vulnerable partner network
  • Spear phishing and whaling replacing mass phishing
  • Advanced attacks that stay (almost) 100% under the radar of threat detection systems
  • Individual users targeted from 'trusted' sources
  • Attackers preparing their hits for months in advance


These trends have their effect on the IT security strategy (slide 5).


In the DevSecOps concept, there are still many legacy systems, which makes the concept reactive. In the search for a more proactive approach, Greenyard moved from creating applications simply for the sake of the defined purpose, to having applications that are capable of monitoring.


For Greenyard, security means that data and information is available and secured, at all times. This availability is a key driver in Greenyard's security strategy, and business data flows define the monitoring of the infrastructure.


With this proactive approach, the dataflows can be observed, analysed and monitored from end to end in the critical business processes (slide 7).


However, even with the DevSecOps approach and a proactive mindset, it is important to keep an eye on the business risks, Johan emphasises. Incorporate risk mitigation in your solutions (Business Impact Analysis).


In practice, this means:

  • The threat analysis defines the security architecture
  • The criticality of business data flows defines the ICT requirements, supporting the primary business processes to guarantee business continuity
  • Identity authentication defines operational security in a highly distributed environment

(slide 9)





Dear visitor,

Access to more information about this topic and/or to download the paper is easy and fast, but exclusively for Beltug members (just login to get access).

Beltug gathers a lot of information. Here you find the advantages of Beltug membership

The Beltug Team

Click here to login

>>> Back to overview