DevSecOps for IBM i (aka AS/400 or AS400)

Digital transformation and cloud adoption have made software the primary source of business risk. Complex application architectures increase attack surfaces, and new computing paradigms often lack security as a priority. While DevOps brings efficiency to software delivery, accelerated cycles can overlook security flaws, leading to dormant vulnerabilities. DevOps also changes security management, with continuous concerns and shared responsibility across teams. In response, security shifts left into software creation, becoming integral to DevOps as DevSecOps.

In successful DevSecOps, automation is key. Human error is a common cause of security breaches, with manual processes leaving coding flaws and vulnerabilities undetected. To minimize risk, each phase in the DevSecOps cycle should be automated and continuous, shifting security left and preventing rework.

While IBM i boasts strong built-in security, the need for DevSecOps arises as applications modernize and integrate with external sources. Legacy code exposed as Web services poses new risks like SQL injection and unsafe APIs. DevSecOps teams use static code analysis to mitigate these threats, applying OWASP quality control rules. Additionally, automated data anonymization techniques are essential to address insider threats, which account for a significant portion of data breaches.

DevOps implementations often rely on disparate, non-integrated tools, making it difficult to measure quality and security levels. To achieve compliance in hybrid environments, DevSecOps teams require a holistic view of security across multiple technologies and platforms. This necessitates an integrated toolset with a shared repository for centralized reporting and control.