2019 DevSecOps Predictions - Part 1
January 28, 2019

DEVOPSdigest asked DevOps experts for their predictions on how DevSecOps and security-related technologies will evolve and impact DevOps and business in 2019. Predictions will be posted in 2 parts, today and tomorrow.


The evolution of DevOps into DevSecOps will accelerate throughout 2019, as enterprises continue to recognize (and act on) the need to fully secure their applications throughout the entirety of the build-ship-run lifecycle. Enterprises are understanding how simple image scanning and host security leaves their applications far too vulnerable to zero-day exploits. The shift to secure the full application lifecycle is especially pressing within containerized environments, where enterprises are increasingly using containers in production and require specialized, automated container network security to detect and prevent network based attacks.
Gary Duan
CTO, NeuVector


2019 is about shifting left and problem prevention. The DevOps approach will enable organizations to more closely integrate their Application Security and Performance engineering practices in the CI/CD cycle and thus avoiding related defects in production.
Peco Karayanev
Product Management Director, Riverbed

The call for security to "Shift Left" will become better understood and more effective in practice. In 2018, Shift Left was often misused as a way to shift blame for insecure software to developers. In 2019, DevSecOps will become just another natural aspect of DevOps, where security is built into the process at every phase and is everyone's responsibility.
Tim Buntel
DevOps Advocate, XebiaLabs

DevSecOps will evolve with true shift-left development to accelerate push to production and protect the enterprise. Developers and engineering teams will need to be provided with ways to bake in security to the code without having to jump through hoops to pass corporate policies. And this baking in of security needs to be agentless, to enable runtime monitoring that not only provides insights about new vulnerabilities (that have arisen since code was pushed to production) but also identifies where exposed code is running.
Bart Copeland
CEO and President , ActiveState

As organizations move more workloads to the public cloud, they will need a more comprehensive and continuous approach to security. Most organizations use an approach that emphasizes controls at the end of a pipeline, such as firewalls and pen-testing. Just doing that, however, doesn't take into account the breadth required to secure modern cloud environments. Especially with agile and continuous deployment, security needs to find its place in quickly iterating processes, otherwise it gets left behind. Organizations will need to "shift left"; in other words, include security in developer IDEs or automate testing for common security issues during development. Additionally, organizations will want to automate security checks during the entirety of the development cycle.
Dan Hubbard
Chief Product Officer, Lacework


We've seen an acceleration in application/data breaches in 2018, and we'll see the trend continue into 2019. As breaches become more common, organizations will attempt to "shift left" as they bring a security mindset into the development/build process pre-production. In a perfect world, we should be able to identify and remediate vulnerabilities before they make it to production. However in reality, organizations that want to shift left might also have to take a step to the right first. The issue many teams face when attempting to shift left is that a large portion of what is being protected against is theoretical, which leads companies to focus solely on remediating against current threats. Encouraging teams to take a step right — in so far that we let developers fix issues as we see new attacks — can also facilitate a more complete shift left. Above all, shifting right to shift left allows organizations to focus on remediating what matters most, saving time, resources, and money. The savings should be used to improve every step of the secure software development lifecycle — from design through deployment.
Kunal Anand
CTO, Imperva


Developer awareness of security will rise. I recently conducted a study examining instances of developers mentions of code security on open source code development platforms and found that developer awareness about security and vulnerabilities is exploding. The number of mentions of the terms has significantly increased and maintained volume, demonstrating a growing awareness of software risks. While focus on security is increasing from developers, that doesn't mean security is assured — in fact, results from the open source code development and automatic code review platform LGTM.com confirm that new vulnerabilities are still introduced at a higher rate than old vulnerabilities are fixed. Humans are fallible and perfect code is impossible, while remote attacks on software will continue. In 2019, we'll see an extension of data from the survey, and greater developer awareness of cybersecurity within the code development cycle.
Albert Ziegler
Data Scientist, Semmle


2019 will be the beginning of the end for AppSec as we know it. While 2018 was in many regards the year of DevSecOps, we still only scratched the surface of its effect on the industry. 2019 will be the year CISOs, CIOs and CSOs all view DevSecOps as one of their top three investment priorities - and permanently change the way we think about AppSec, and who an AppSec professional is. Responsibility for AppSec will be handed over to Heads of Development, as it transforms officially into DevSec, where identification and remediation lie. 75% of developers will begin expecting security intelligence about their code to come from GitHub plugins — and across the development lifecycle.
Vulnerable applications are the number one attack vector leading to breaches — and the only way to truly build security into these applications is to combine Dev and Sec. AppSec must live where developers live and developers must understand security. 2019 will usher this in as non-negotiable business imperative. While I acknowledge the complete change won't take place overnight, I believe that 2019 will set in motion a massive 3-5 year transformation, that will leave current AppSec professionals out of a job by 2024, unless they seriously understand DevOps.
Derek Weeks
VP and DevOps Evangelist, Sonatype


Many of the most noteworthy recent breaches were the direct result of unsecured sensitive information living in public repositories, especially at companies using DevOps and the cloud to bring new applications to market at high velocity. Attackers are taking advantage of the failure of public and private organizations to implement basic security practices securing privileged access, and it's becoming an epidemic. In 2019, major public repositories will start introducing sophisticated guardrails designed to prevent developers from accidentally uploading security secrets. Organizations, however, can't rely on these safeguards. It's critical that they institutionalize a security-first culture in which everyone — not just developers — is empowered to "own" security, is provided with the tools and solutions needed to make it easier to keep networks secure without impacting DevOps workflows, and ensures the right processes are followed and respected.
Brian Kelly
Head of Conjur Engineering, CyberArk


As application security becomes integral to business success, a growing number of organizations will adopt DevSecOps practices, with developers, IT operations, and security specialists working closely together to continuously develop and deliver secure applications and services quicker than ever before. This in turn will drive a need for continuous monitoring of application performance, threats and vulnerabilities powered by complete end-to-end visibility of the application and the entire service delivery infrastructure, and all of their respective independencies, throughout the continuous delivery process. The continuous monitoring of the relevant telemetry would enable DevSecOps to establish common situational awareness and collaborate effectively. It would empower them to both proactively manage application performance by fixing issues before user experience is impacted, as well as detect application security threats and vulnerabilities, such as trap doors, backdoors and covert channels, that leave companies wide open to risk. To further mitigate threats, we expect to see increased uptake of application static, dynamic, fuzz and interface testing during the assessment phase, as well as vulnerability assessment and penetration testing, combined with continuous monitoring of applications and infrastructure. Through this approach, businesses will be able to identify application performance issues, threats and vulnerabilities at the earliest possible opportunity, and fully unlock DevSecOps' promised benefits.
Michael Segal
Area VP, Strategy, NetScout


Too often, SecOps or SIEM tools report on issues, but follow-up by DevOps is delayed. For security, this can result in major risks. We'll see wider deployment of tools that close the loop from this monitoring to change management, helping to automate many processes that require manual intervention. An example could be monitoring one's hybrid infrastructure for change in security posture, automatically triggering Ansible Playbooks to correct to the known good baseline.
Brajesh Goyal
VP, Engineering, Cavirin

Read 2019 DevSecOps Predictions - Part 2

Share this

Industry News

September 17, 2020

env0, a developer of Infrastructure-as-Code (IaC) management software, announced the availability of its new open source solution for Terraform users, Terratag.

September 17, 2020

Push Technology announced a partnership with Innova Solutions, an ACS Solutions company, specializing in global information technology services.

September 17, 2020

Alcide achieved the AWS Outposts Ready designation, part of the Amazon Web Services (AWS) Service Ready Program.

September 16, 2020

Portshift announced serverless container security support for AWS Fargate.

September 16, 2020

Sonatype and NeuVector announced a new integration that provides a comprehensive view of all Kubernetes and Container open source risk in one place.

September 16, 2020

Pure Storage entered into a definitive agreement to acquire Portworx, a Kubernetes data services platform enterprises trust to run mission-critical applications in containers in production.

September 15, 2020

OutSystems announced a series of new tools and capabilities that will empower organizations of all sizes to build applications quickly, build them right, and build them for the future.

September 15, 2020

VMware unveiled new offerings to help customers further accelerate their app and infrastructure modernization initiatives. VMware vSphere 7 Update 1, VMware vSAN 7 Update 1 and VMware Cloud Foundation 4.1 product releases streamline customer adoption of Kubernetes and support stateful applications with new developer-ready capabilities and enhance scalability and operations with new features.

September 15, 2020

Oracle announced the general availability of Java 15 (Oracle JDK 15).

September 14, 2020

Actifio announced a global alliance with Persistent Systems, a global solutions company with deep technology expertise, to help enterprises with data stack modernization and acceleration of digital transformation initiatives.

September 14, 2020

Perforce Software announced the release of the Helix TeamHub Command-Line Client (hth-cli).

September 14, 2020

StackRox secured an additional $26.5 million in funding.

September 10, 2020

JourneyApps announced the official launch of its OXIDE Integrated Development Environment (IDE) which ushers in a new paradigm of building, deploying and managing secure and powerful business applications.

September 10, 2020

Solo.io announced the WebAssembly OCI Image Specification, which defines a standard format for bundling and storing a Wasm module and its metadata as an OCI (Open Container Initiative) image in order to facilitate interoperability across different solutions.

September 10, 2020

Flexential announced new dedicated Hosted Private Cloud - vCenter Access capabilities that enable organizations to use industry-leading third-party tools to manage workloads and data protection requirements on a single, consolidated cloud platform.