DEVOPSdigest asked DevOps experts for their predictions on how DevSecOps and security-related technologies will evolve and impact DevOps and business in 2019. Predictions will be posted in 2 parts, today and tomorrow.
DEVOPS ACCELERATES EVOLUTION INTO DEVSECOPS
The evolution of DevOps into DevSecOps will accelerate throughout 2019, as enterprises continue to recognize (and act on) the need to fully secure their applications throughout the entirety of the build-ship-run lifecycle. Enterprises are understanding how simple image scanning and host security leaves their applications far too vulnerable to zero-day exploits. The shift to secure the full application lifecycle is especially pressing within containerized environments, where enterprises are increasingly using containers in production and require specialized, automated container network security to detect and prevent network based attacks.
SECURITY SHIFTS LEFT
2019 is about shifting left and problem prevention. The DevOps approach will enable organizations to more closely integrate their Application Security and Performance engineering practices in the CI/CD cycle and thus avoiding related defects in production.
Product Management Director, Riverbed
The call for security to "Shift Left" will become better understood and more effective in practice. In 2018, Shift Left was often misused as a way to shift blame for insecure software to developers. In 2019, DevSecOps will become just another natural aspect of DevOps, where security is built into the process at every phase and is everyone's responsibility.
DevOps Advocate, XebiaLabs
DevSecOps will evolve with true shift-left development to accelerate push to production and protect the enterprise. Developers and engineering teams will need to be provided with ways to bake in security to the code without having to jump through hoops to pass corporate policies. And this baking in of security needs to be agentless, to enable runtime monitoring that not only provides insights about new vulnerabilities (that have arisen since code was pushed to production) but also identifies where exposed code is running.
CEO and President , ActiveState
As organizations move more workloads to the public cloud, they will need a more comprehensive and continuous approach to security. Most organizations use an approach that emphasizes controls at the end of a pipeline, such as firewalls and pen-testing. Just doing that, however, doesn't take into account the breadth required to secure modern cloud environments. Especially with agile and continuous deployment, security needs to find its place in quickly iterating processes, otherwise it gets left behind. Organizations will need to "shift left"; in other words, include security in developer IDEs or automate testing for common security issues during development. Additionally, organizations will want to automate security checks during the entirety of the development cycle.
Chief Product Officer, Lacework
SHIFTING RIGHT TO SHIFT LEFT
We've seen an acceleration in application/data breaches in 2018, and we'll see the trend continue into 2019. As breaches become more common, organizations will attempt to "shift left" as they bring a security mindset into the development/build process pre-production. In a perfect world, we should be able to identify and remediate vulnerabilities before they make it to production. However in reality, organizations that want to shift left might also have to take a step to the right first. The issue many teams face when attempting to shift left is that a large portion of what is being protected against is theoretical, which leads companies to focus solely on remediating against current threats. Encouraging teams to take a step right — in so far that we let developers fix issues as we see new attacks — can also facilitate a more complete shift left. Above all, shifting right to shift left allows organizations to focus on remediating what matters most, saving time, resources, and money. The savings should be used to improve every step of the secure software development lifecycle — from design through deployment.
DEVELOPER AWARENESS OF SECURITY WILL RISE
Developer awareness of security will rise. I recently conducted a study examining instances of developers mentions of code security on open source code development platforms and found that developer awareness about security and vulnerabilities is exploding. The number of mentions of the terms has significantly increased and maintained volume, demonstrating a growing awareness of software risks. While focus on security is increasing from developers, that doesn't mean security is assured — in fact, results from the open source code development and automatic code review platform LGTM.com confirm that new vulnerabilities are still introduced at a higher rate than old vulnerabilities are fixed. Humans are fallible and perfect code is impossible, while remote attacks on software will continue. In 2019, we'll see an extension of data from the survey, and greater developer awareness of cybersecurity within the code development cycle.
Data Scientist, Semmle
THE BEGINNING OF THE END FOR APPSEC
2019 will be the beginning of the end for AppSec as we know it. While 2018 was in many regards the year of DevSecOps, we still only scratched the surface of its effect on the industry. 2019 will be the year CISOs, CIOs and CSOs all view DevSecOps as one of their top three investment priorities - and permanently change the way we think about AppSec, and who an AppSec professional is. Responsibility for AppSec will be handed over to Heads of Development, as it transforms officially into DevSec, where identification and remediation lie. 75% of developers will begin expecting security intelligence about their code to come from GitHub plugins — and across the development lifecycle.
Vulnerable applications are the number one attack vector leading to breaches — and the only way to truly build security into these applications is to combine Dev and Sec. AppSec must live where developers live and developers must understand security. 2019 will usher this in as non-negotiable business imperative. While I acknowledge the complete change won't take place overnight, I believe that 2019 will set in motion a massive 3-5 year transformation, that will leave current AppSec professionals out of a job by 2024, unless they seriously understand DevOps.
VP and DevOps Evangelist, Sonatype
SECURITY FIRST CULTURE
Many of the most noteworthy recent breaches were the direct result of unsecured sensitive information living in public repositories, especially at companies using DevOps and the cloud to bring new applications to market at high velocity. Attackers are taking advantage of the failure of public and private organizations to implement basic security practices securing privileged access, and it's becoming an epidemic. In 2019, major public repositories will start introducing sophisticated guardrails designed to prevent developers from accidentally uploading security secrets. Organizations, however, can't rely on these safeguards. It's critical that they institutionalize a security-first culture in which everyone — not just developers — is empowered to "own" security, is provided with the tools and solutions needed to make it easier to keep networks secure without impacting DevOps workflows, and ensures the right processes are followed and respected.
Head of Conjur Engineering, CyberArk
As application security becomes integral to business success, a growing number of organizations will adopt DevSecOps practices, with developers, IT operations, and security specialists working closely together to continuously develop and deliver secure applications and services quicker than ever before. This in turn will drive a need for continuous monitoring of application performance, threats and vulnerabilities powered by complete end-to-end visibility of the application and the entire service delivery infrastructure, and all of their respective independencies, throughout the continuous delivery process. The continuous monitoring of the relevant telemetry would enable DevSecOps to establish common situational awareness and collaborate effectively. It would empower them to both proactively manage application performance by fixing issues before user experience is impacted, as well as detect application security threats and vulnerabilities, such as trap doors, backdoors and covert channels, that leave companies wide open to risk. To further mitigate threats, we expect to see increased uptake of application static, dynamic, fuzz and interface testing during the assessment phase, as well as vulnerability assessment and penetration testing, combined with continuous monitoring of applications and infrastructure. Through this approach, businesses will be able to identify application performance issues, threats and vulnerabilities at the earliest possible opportunity, and fully unlock DevSecOps' promised benefits.
Area VP, Strategy, NetScout
CLOSING THE LOOP FROM MONITORING TO CHANGE MANAGEMENT
Too often, SecOps or SIEM tools report on issues, but follow-up by DevOps is delayed. For security, this can result in major risks. We'll see wider deployment of tools that close the loop from this monitoring to change management, helping to automate many processes that require manual intervention. An example could be monitoring one's hybrid infrastructure for change in security posture, automatically triggering Ansible Playbooks to correct to the known good baseline.
VP, Engineering, Cavirin