2019 DevSecOps Predictions - Part 1
January 28, 2019

DEVOPSdigest asked DevOps experts for their predictions on how DevSecOps and security-related technologies will evolve and impact DevOps and business in 2019. Predictions will be posted in 2 parts, today and tomorrow.


The evolution of DevOps into DevSecOps will accelerate throughout 2019, as enterprises continue to recognize (and act on) the need to fully secure their applications throughout the entirety of the build-ship-run lifecycle. Enterprises are understanding how simple image scanning and host security leaves their applications far too vulnerable to zero-day exploits. The shift to secure the full application lifecycle is especially pressing within containerized environments, where enterprises are increasingly using containers in production and require specialized, automated container network security to detect and prevent network based attacks.
Gary Duan
CTO, NeuVector


2019 is about shifting left and problem prevention. The DevOps approach will enable organizations to more closely integrate their Application Security and Performance engineering practices in the CI/CD cycle and thus avoiding related defects in production.
Peco Karayanev
Product Management Director, Riverbed

The call for security to "Shift Left" will become better understood and more effective in practice. In 2018, Shift Left was often misused as a way to shift blame for insecure software to developers. In 2019, DevSecOps will become just another natural aspect of DevOps, where security is built into the process at every phase and is everyone's responsibility.
Tim Buntel
DevOps Advocate, XebiaLabs

DevSecOps will evolve with true shift-left development to accelerate push to production and protect the enterprise. Developers and engineering teams will need to be provided with ways to bake in security to the code without having to jump through hoops to pass corporate policies. And this baking in of security needs to be agentless, to enable runtime monitoring that not only provides insights about new vulnerabilities (that have arisen since code was pushed to production) but also identifies where exposed code is running.
Bart Copeland
CEO and President , ActiveState

As organizations move more workloads to the public cloud, they will need a more comprehensive and continuous approach to security. Most organizations use an approach that emphasizes controls at the end of a pipeline, such as firewalls and pen-testing. Just doing that, however, doesn't take into account the breadth required to secure modern cloud environments. Especially with agile and continuous deployment, security needs to find its place in quickly iterating processes, otherwise it gets left behind. Organizations will need to "shift left"; in other words, include security in developer IDEs or automate testing for common security issues during development. Additionally, organizations will want to automate security checks during the entirety of the development cycle.
Dan Hubbard
Chief Product Officer, Lacework


We've seen an acceleration in application/data breaches in 2018, and we'll see the trend continue into 2019. As breaches become more common, organizations will attempt to "shift left" as they bring a security mindset into the development/build process pre-production. In a perfect world, we should be able to identify and remediate vulnerabilities before they make it to production. However in reality, organizations that want to shift left might also have to take a step to the right first. The issue many teams face when attempting to shift left is that a large portion of what is being protected against is theoretical, which leads companies to focus solely on remediating against current threats. Encouraging teams to take a step right — in so far that we let developers fix issues as we see new attacks — can also facilitate a more complete shift left. Above all, shifting right to shift left allows organizations to focus on remediating what matters most, saving time, resources, and money. The savings should be used to improve every step of the secure software development lifecycle — from design through deployment.
Kunal Anand
CTO, Imperva


Developer awareness of security will rise. I recently conducted a study examining instances of developers mentions of code security on open source code development platforms and found that developer awareness about security and vulnerabilities is exploding. The number of mentions of the terms has significantly increased and maintained volume, demonstrating a growing awareness of software risks. While focus on security is increasing from developers, that doesn't mean security is assured — in fact, results from the open source code development and automatic code review platform LGTM.com confirm that new vulnerabilities are still introduced at a higher rate than old vulnerabilities are fixed. Humans are fallible and perfect code is impossible, while remote attacks on software will continue. In 2019, we'll see an extension of data from the survey, and greater developer awareness of cybersecurity within the code development cycle.
Albert Ziegler
Data Scientist, Semmle


2019 will be the beginning of the end for AppSec as we know it. While 2018 was in many regards the year of DevSecOps, we still only scratched the surface of its effect on the industry. 2019 will be the year CISOs, CIOs and CSOs all view DevSecOps as one of their top three investment priorities - and permanently change the way we think about AppSec, and who an AppSec professional is. Responsibility for AppSec will be handed over to Heads of Development, as it transforms officially into DevSec, where identification and remediation lie. 75% of developers will begin expecting security intelligence about their code to come from GitHub plugins — and across the development lifecycle.
Vulnerable applications are the number one attack vector leading to breaches — and the only way to truly build security into these applications is to combine Dev and Sec. AppSec must live where developers live and developers must understand security. 2019 will usher this in as non-negotiable business imperative. While I acknowledge the complete change won't take place overnight, I believe that 2019 will set in motion a massive 3-5 year transformation, that will leave current AppSec professionals out of a job by 2024, unless they seriously understand DevOps.
Derek Weeks
VP and DevOps Evangelist, Sonatype


Many of the most noteworthy recent breaches were the direct result of unsecured sensitive information living in public repositories, especially at companies using DevOps and the cloud to bring new applications to market at high velocity. Attackers are taking advantage of the failure of public and private organizations to implement basic security practices securing privileged access, and it's becoming an epidemic. In 2019, major public repositories will start introducing sophisticated guardrails designed to prevent developers from accidentally uploading security secrets. Organizations, however, can't rely on these safeguards. It's critical that they institutionalize a security-first culture in which everyone — not just developers — is empowered to "own" security, is provided with the tools and solutions needed to make it easier to keep networks secure without impacting DevOps workflows, and ensures the right processes are followed and respected.
Brian Kelly
Head of Conjur Engineering, CyberArk


As application security becomes integral to business success, a growing number of organizations will adopt DevSecOps practices, with developers, IT operations, and security specialists working closely together to continuously develop and deliver secure applications and services quicker than ever before. This in turn will drive a need for continuous monitoring of application performance, threats and vulnerabilities powered by complete end-to-end visibility of the application and the entire service delivery infrastructure, and all of their respective independencies, throughout the continuous delivery process. The continuous monitoring of the relevant telemetry would enable DevSecOps to establish common situational awareness and collaborate effectively. It would empower them to both proactively manage application performance by fixing issues before user experience is impacted, as well as detect application security threats and vulnerabilities, such as trap doors, backdoors and covert channels, that leave companies wide open to risk. To further mitigate threats, we expect to see increased uptake of application static, dynamic, fuzz and interface testing during the assessment phase, as well as vulnerability assessment and penetration testing, combined with continuous monitoring of applications and infrastructure. Through this approach, businesses will be able to identify application performance issues, threats and vulnerabilities at the earliest possible opportunity, and fully unlock DevSecOps' promised benefits.
Michael Segal
Area VP, Strategy, NetScout


Too often, SecOps or SIEM tools report on issues, but follow-up by DevOps is delayed. For security, this can result in major risks. We'll see wider deployment of tools that close the loop from this monitoring to change management, helping to automate many processes that require manual intervention. An example could be monitoring one's hybrid infrastructure for change in security posture, automatically triggering Ansible Playbooks to correct to the known good baseline.
Brajesh Goyal
VP, Engineering, Cavirin

Read 2019 DevSecOps Predictions - Part 2

Share this

Industry News

July 01, 2020

JFrog announced the launch of ChartCenter, a free, security-focused central repository of Helm charts for the community.

July 01, 2020

Kong announced a significant upgrade to open source Kuma, Kuma 0.6, available today.

July 01, 2020

Compuware Corporation, a BMC company, announced new capabilities that further automate and integrate test data and test case execution, empowering IT teams to achieve high-performance application development quality, velocity and efficiency.

June 30, 2020

Couchbase announced the general availability of Couchbase Cloud, a fully-managed Database-as-a-Service (DBaaS).

June 30, 2020

Split Software announced new capabilities designed to accelerate the adoption of feature flags in large-scale organizations.

June 30, 2020

WhiteHat Security announced a discounted Web + Mobile Application Security bundle to help organizations secure the digital future.

June 29, 2020

Puppet introduced the public beta availability of Relay, an event-driven automation platform.

June 29, 2020

D2iQ introduced KUDO for Kubeflow to simplify and accelerate machine learning (ML) deployments on Kubernetes.

June 29, 2020

Codefresh announced $27M in new funding led by Red Dot Capital Partners.

June 25, 2020

Micro Focus announced the general availability of Visual COBOL 6.0 and Enterprise Suite 6.0, providing versatile application, process and infrastructure modernization solutions for today’s enterprise developer.

June 25, 2020

SaltStack announced new features available in SaltStack Enterprise 6.3 that integrate best-of-breed IT monitoring and vulnerability management solutions, including Splunk, Tenable, Qualys, Rapid7, and Kenna Security.

June 25, 2020

Keysight Technologies has completed the acquisition of Eggplant from The Carlyle Group.

June 24, 2020

JFrog unveiled new capabilities to address the growing problem of software distribution bottlenecks. The newly introduced CDN-based and Peer-to-Peer software package distribution mechanisms empower companies to overcome the challenge of frequently delivering large volumes of artifacts to internal teams and external clients.

June 24, 2020

Copado announced its Summer 20 release to accelerate, optimize and measure innovation delivery on the Salesforce platform.

June 24, 2020

Bugsnag launched Stability Center, a centralized location that offers a holistic view into stability stats and trends across releases for multiple client and server-side applications.