What is hindering the implementation of DevSecOps in Russia

[tanjimajuha20]

Head of the Secure Development Department at InfoTeKS JSC Anastasia Kalugina, speaking at the round table "SDL and the Staff Shortage. Solutions" at the open conference of the ISP RAS, named the staff shortage as one of the main reasons for the gap between regulators' requirements for the development process and established practice. For example, Deputy Head of the FSTEC Vitaly Lyutikov at the BIS Summit 2023 conference drew attention to the fact that a significant portion of Russian developers do not comply with the agency's current regulations for the timely elimination of discovered vulnerabilities.

Read also

The need to quickly create jamaica whatsapp number database analogues of foreign products within the framework of import substitution and the expansion of regulatory requirements have led to an active growth in demand for the implementation of secure development tools in Russia. The main difficulties in their implementation are misunderstanding on the part of business and building a dialogue between information security and development teams.

As Anastasia Kalugina stated, universities do not prepare specialists in secure development - they have to be trained themselves, retraining from related specialties, and not just deeply immersing them in the topic, but simply drowning them in it. At the same time, according to her, there is still some progress. But still, as Anastasia Kalugina emphasized, the lack of personnel makes the transition to secure development long and painful. According to her assessment, the main difficulty is to achieve full coverage of the entire development life cycle, although there are no major problems in implementing each of the stages.

At the same time, as Vladimir Karantaev, Associate Professor at the National Research University MPEI, reminded, a number of industries, including electric power, are on the verge of large-scale digitalization, which will spur the demand for specialists in secure development even more, but at the same time, an additional requirement is the presence of deep knowledge in the subject area.

Also, according to Anna Shchiptsova, Dean of the Faculty of Informatics and Computer Engineering of the Chuvash State University, a serious problem is the imperfection of educational programs. In particular, she drew attention to the fact that developers are given insufficient knowledge in the field of information and cybersecurity, and future information security specialists - in the field of development. Anna Shchiptsova also drew attention to the need for a wider popularization of the topic of secure development, both among potential applicants and students, and teachers.

Deputy Head of the Basic Department of the Institute of System Programming of the Russian Academy of Sciences at the National Research University Higher School of Economics, Professor Efim Grinkrug called the competition for applicants and students a serious challenge. He noted that everything related to system programming is often unclear and complicated, as a result, it is very difficult to attract applicants and retain students, and all this creates difficulties for the department staff in achieving good indicators for reporting.

But at the same time, personnel are not trained at all in many functional areas. In particular, this was stated by the representative of the General Staff of the Armed Forces of the Russian Federation Sergey Kondakov. He noted that military universities do not train specialists in many in-demand IT and information security areas, including everything related to the development of advanced analytics systems, machine learning and artificial intelligence, and secure development. As a result, as he stated, it is necessary to look for specialists on the civilian market, which is quite difficult, given that the structures of the Ministry of Defense, including the General Staff, cannot offer a competitive level of wages. But, as Sergey Kondakov recalled, AI is actively used in military practice.

Advisor to the Governor of the Nizhny Novgorod Region Valery Cherepennikov named one of the main problems of universities as a shortage of teaching staff, and to solve it, help from potential employers is needed. At the same time, secure development, as well as information security specialties in general, according to his assessment, are among the most popular areas. But Valery Cherepennikov warned against turning educational institutions into "factories of wooden soldiers" where they train to use some software and hardware without understanding the principles of their operation. He also reminded that specialists must constantly learn and retrain, and the necessary skill must be instilled in the educational institution.

Director of the Institute of System Programming of the Russian Academy of Sciences, Academician Arutyun Avetisyan, proposed creating a single repository that would unite not only technical tools for safe development, but also educational programs and methodological developments that have been accumulated by various educational institutions, research institutions and companies: "Such a single ecosystem will allow each educational institution or company not to invent what others have already successfully solved. Such a single ecosystem will allow us to more quickly prepare the necessary specialists and solve the problem of personnel shortage."