12 DevSecOps Trends to Watch Right Now - Part 1
August 05, 2021

Jayne Groll
DevOps Institute

Baking security into your software and apps from the beginning is more important than ever. Without security, your development lifecycle is open to bugs and vulnerabilities putting your organization and customers at risk. DevSecOps is an augmentation of DevOps, allowing for security practices to be integrated into the DevOps approach. This approach shifts security to the left ensuring that security is implemented in the beginning of the development lifecycle.

While DevSecOps practices are still evolving, there are many trends to keep an eye on. I asked several speakers and sponsors for the upcoming SKILup Day as well as several DevOps Institute Ambassadors to weigh in on the hottest DevSecOps trends. Here's what they shared:

Sponsor, Kendall Miller
President, Fairwinds

The answer is in the question itself, the merging of security into DevOps, when historically it's been a separate practice. Now people are realizing that separating security is a mistake — it all needs to be paired together out of the gate. In the same way that the merging of dev and ops requires great tooling but leads to organizational change and efficiency gains, the addition of security also requires great tooling … but leads to incredible organizational change. So the trend is the merging itself and the tools that make the merge possible. It's really hard to bolt security on afterwards, and as the world increasingly adopts tools like Kubernetes, service ownership is increasingly common, and it must include security from the get-go.

Sponsor, Guy Eisenkot
VP of Product, Bridgecrew by Prisma Cloud

One of the biggest DevSecOps trends is shifting anything, and everything left. To make it easier, faster, and cheaper to address vulnerabilities and misconfigurations, security and compliance teams are looking for ways to collaborate with DevOps and engineering to embed guardrails earlier in the DevOps lifecycle. Whether that's in the IDE or part of build pipelines, getting early feedback helps minimize context-switching for engineers, saves DevOps time prioritizing fixes for issues found in runtime, and reduces risk.

The key for this to be successful, however, is to strike a healthy balance between enforcing security policies and moving fast. If security feedback becomes too noisy, engineers will ignore it, and if it becomes a blocker, they'll find a way around it. Either way, friction will ensue, and you'll end up having to scale back your DevSecOps efforts.

Sponsor, Rob Cuddy
Global Application Security Evangelist, HCL Software DevOps

The top trend is getting developers more involved in threat modeling activities and collaborating on them with security professionals. In 2019 Puppet Labs identified this as the #1 practice for having an impact and improving security posture. (page 35 of the 2019 State of DevOps Report)

Sponsor, Yasser Fuentes
Cloud Workload Security Technical Product Manager, Bitdefender

Security must now keep up with DevOps and the software delivery lifecycle and cadence acceleration. As a result, key areas such as Compliance, Vulnerability Management, Identity Access Management, Encryption and overall built-in security have to move at this same very high speed, otherwise non-secure code would end up deeming their software as unusable and off-market. One of the most feasible solutions (at least at a glance) for CISOs has been the adoption of the shared-ownership model of security, which facilitates application component owners to detect and fix their own related vulnerabilities. The same is true as per software intended to be sold to and used by the US Government - requirements oblige software companies to report, mitigate and fix any related vulnerabilities. However, the reality is that this is not and won't be by any means even close to 50 percent of what's required in order to ensure that the application is secure.

Sponsor, Joni Klippert
Co-Founder and CEO, StackHawk

The number of API-related security incidents is on the rise with Peloton, Coursera, and the latest Experian breach being recent examples from the last 12 months. And API security risk is going to get worse – Gartner cites that by 2022, API abuses will be the attack vector most responsible for data breaches.

Leading DevSecOps teams are beginning to awaken to the threat of API security, and updating their programs accordingly. Teams are proactively implementing processes to manage core API security principles like access control, rate limiting, data exposure testing, and vulnerability testing, in CI/CD to find issues before they are released to prod.

Like application security, API security doesn't have a silver bullet. DevSecOps teams need to implement the right tools from the planning stages of development to make sure their APIs are protected.

Stephen Walters
Sales Engineer, Everbridge

In my opinion, the top trend in DevSecOps right now is organizations and groups trying to understand exactly what it means to them. Just as we had many years of people asking the question, "What is DevOps?" before finally realizing that there is not an all conclusive answer, but merely a base construct and an ideology, so we are seeing the same happen with DevSecOps. Yes, this time we have a slight jump on that, but the greatest challenge now, as then, is the cultural change that many traditional operators are having to face in the way they conduct their roles in day-to-day security.

For example, in traditional models, security has operated, or been made to operate, in a way that reflects its culture - closed, secretive and isolated from other functions - the greatest silo of siloes. That has to change in a DevSecOps culture, where security must be open, integrated and part of the enterprise ecosystem. That is a seismic change for many and it requires a lot of effort upfront from all parties.

Learn more about DevSecOps and similar topics, by registering for an upcoming SKILup Day. Or, start your upskilling journey by learning more about the benefits of DevOps Institute membership.

Go to 12 DevSecOps Trends to Watch Right Now - Part 2, providing even more expert opinions on DevSecOps.

Jayne Groll is CEO of DevOps Institute
Share this

Industry News

December 06, 2021

Ascend.io announced support for Amazon Redshift Serverless powered on Amazon Web Services, Inc. (AWS), a fully managed petabyte-scale cloud data warehouse.

December 06, 2021

Neosec formed a strategic partnership with Kong Inc. to integrate its API security platform with Kong Gateway to provide a complete enterprise-class solution for managing and securing APIs and microservices.

December 02, 2021

Mirantis announced DevOpsCare, powered by Lens, a vendor-agnostic, fully-managed CI/CD (continuous integration/continuous deployment) product for any Kubernetes environment, offering developers higher levels of productivity more quickly.

December 02, 2021

The D2iQ Kubernetes Platform (DKP) is now available in AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on Amazon Web Services, Inc. (AWS).

December 01, 2021

Bugcrowd announced the availability of Bugcrowd's cybersecurity solutions on the AWS Marketplace, providing customers with easy access, simplified billing, quick deployment, and streamlined license management.

December 01, 2021

Kublr received Microsoft Azure Arc-enabled Kubernetes validation, including for Azure Arc-enabled Kubernetes for Data Services.

December 01, 2021

CloudSphere achieved Amazon Web Services (AWS) Migration and Modernization Competency for discovering, planning, and helping enterprise customers move business services to AWS to reduce cost, increase agility and improve security.

November 30, 2021

JFrog introduced a new container registry and package manager for running JFrog Artifactory with Kubernetes clusters on-premises, in the cloud, or both.

November 30, 2021

Docker announced the availability of Docker Official Images directly from Amazon Web Services (AWS).

November 30, 2021

Weaveworks announced the general availability of Weave GitOps Enterprise, a GitOps platform that automates continuous application delivery and Kubernetes operations at any scale.

November 30, 2021

Amazon Web Services announced AWS Mainframe Modernization, a new service that makes it faster and easier for customers to migrate mainframe and legacy workloads to the cloud, and enjoy the superior agility, elasticity, and cost savings of AWS.

November 29, 2021

Quali announced the newest release of Torque Enterprise, which includes enhanced integration with Terraform, new custom tagging capabilities, and improved cost visibility dashboards, unleashing an entirely new level of self-service access to application environments on demand.

November 29, 2021

Vertical Relevance (VR), a financial services-focused consulting firm, achieved Amazon Web Services (AWS) DevOps Competency status.

November 18, 2021

Loft Labs announced the launch of Loft version 2 with a focus on ease of use that overcomes the major complaint that Kubernetes is complex and hard to set up.

November 18, 2021

Perforce Software announced new functionality to speed remediation of discovered defects in automated scans.