2019 DevSecOps Predictions - Part 1
January 28, 2019

DEVOPSdigest asked DevOps experts for their predictions on how DevSecOps and security-related technologies will evolve and impact DevOps and business in 2019. Predictions will be posted in 2 parts, today and tomorrow.


The evolution of DevOps into DevSecOps will accelerate throughout 2019, as enterprises continue to recognize (and act on) the need to fully secure their applications throughout the entirety of the build-ship-run lifecycle. Enterprises are understanding how simple image scanning and host security leaves their applications far too vulnerable to zero-day exploits. The shift to secure the full application lifecycle is especially pressing within containerized environments, where enterprises are increasingly using containers in production and require specialized, automated container network security to detect and prevent network based attacks.
Gary Duan
CTO, NeuVector


2019 is about shifting left and problem prevention. The DevOps approach will enable organizations to more closely integrate their Application Security and Performance engineering practices in the CI/CD cycle and thus avoiding related defects in production.
Peco Karayanev
Product Management Director, Riverbed

The call for security to "Shift Left" will become better understood and more effective in practice. In 2018, Shift Left was often misused as a way to shift blame for insecure software to developers. In 2019, DevSecOps will become just another natural aspect of DevOps, where security is built into the process at every phase and is everyone's responsibility.
Tim Buntel
DevOps Advocate, XebiaLabs

DevSecOps will evolve with true shift-left development to accelerate push to production and protect the enterprise. Developers and engineering teams will need to be provided with ways to bake in security to the code without having to jump through hoops to pass corporate policies. And this baking in of security needs to be agentless, to enable runtime monitoring that not only provides insights about new vulnerabilities (that have arisen since code was pushed to production) but also identifies where exposed code is running.
Bart Copeland
CEO and President , ActiveState

As organizations move more workloads to the public cloud, they will need a more comprehensive and continuous approach to security. Most organizations use an approach that emphasizes controls at the end of a pipeline, such as firewalls and pen-testing. Just doing that, however, doesn't take into account the breadth required to secure modern cloud environments. Especially with agile and continuous deployment, security needs to find its place in quickly iterating processes, otherwise it gets left behind. Organizations will need to "shift left"; in other words, include security in developer IDEs or automate testing for common security issues during development. Additionally, organizations will want to automate security checks during the entirety of the development cycle.
Dan Hubbard
Chief Product Officer, Lacework


We've seen an acceleration in application/data breaches in 2018, and we'll see the trend continue into 2019. As breaches become more common, organizations will attempt to "shift left" as they bring a security mindset into the development/build process pre-production. In a perfect world, we should be able to identify and remediate vulnerabilities before they make it to production. However in reality, organizations that want to shift left might also have to take a step to the right first. The issue many teams face when attempting to shift left is that a large portion of what is being protected against is theoretical, which leads companies to focus solely on remediating against current threats. Encouraging teams to take a step right — in so far that we let developers fix issues as we see new attacks — can also facilitate a more complete shift left. Above all, shifting right to shift left allows organizations to focus on remediating what matters most, saving time, resources, and money. The savings should be used to improve every step of the secure software development lifecycle — from design through deployment.
Kunal Anand
CTO, Imperva


Developer awareness of security will rise. I recently conducted a study examining instances of developers mentions of code security on open source code development platforms and found that developer awareness about security and vulnerabilities is exploding. The number of mentions of the terms has significantly increased and maintained volume, demonstrating a growing awareness of software risks. While focus on security is increasing from developers, that doesn't mean security is assured — in fact, results from the open source code development and automatic code review platform LGTM.com confirm that new vulnerabilities are still introduced at a higher rate than old vulnerabilities are fixed. Humans are fallible and perfect code is impossible, while remote attacks on software will continue. In 2019, we'll see an extension of data from the survey, and greater developer awareness of cybersecurity within the code development cycle.
Albert Ziegler
Data Scientist, Semmle


2019 will be the beginning of the end for AppSec as we know it. While 2018 was in many regards the year of DevSecOps, we still only scratched the surface of its effect on the industry. 2019 will be the year CISOs, CIOs and CSOs all view DevSecOps as one of their top three investment priorities - and permanently change the way we think about AppSec, and who an AppSec professional is. Responsibility for AppSec will be handed over to Heads of Development, as it transforms officially into DevSec, where identification and remediation lie. 75% of developers will begin expecting security intelligence about their code to come from GitHub plugins — and across the development lifecycle.
Vulnerable applications are the number one attack vector leading to breaches — and the only way to truly build security into these applications is to combine Dev and Sec. AppSec must live where developers live and developers must understand security. 2019 will usher this in as non-negotiable business imperative. While I acknowledge the complete change won't take place overnight, I believe that 2019 will set in motion a massive 3-5 year transformation, that will leave current AppSec professionals out of a job by 2024, unless they seriously understand DevOps.
Derek Weeks
VP and DevOps Evangelist, Sonatype


Many of the most noteworthy recent breaches were the direct result of unsecured sensitive information living in public repositories, especially at companies using DevOps and the cloud to bring new applications to market at high velocity. Attackers are taking advantage of the failure of public and private organizations to implement basic security practices securing privileged access, and it's becoming an epidemic. In 2019, major public repositories will start introducing sophisticated guardrails designed to prevent developers from accidentally uploading security secrets. Organizations, however, can't rely on these safeguards. It's critical that they institutionalize a security-first culture in which everyone — not just developers — is empowered to "own" security, is provided with the tools and solutions needed to make it easier to keep networks secure without impacting DevOps workflows, and ensures the right processes are followed and respected.
Brian Kelly
Head of Conjur Engineering, CyberArk


As application security becomes integral to business success, a growing number of organizations will adopt DevSecOps practices, with developers, IT operations, and security specialists working closely together to continuously develop and deliver secure applications and services quicker than ever before. This in turn will drive a need for continuous monitoring of application performance, threats and vulnerabilities powered by complete end-to-end visibility of the application and the entire service delivery infrastructure, and all of their respective independencies, throughout the continuous delivery process. The continuous monitoring of the relevant telemetry would enable DevSecOps to establish common situational awareness and collaborate effectively. It would empower them to both proactively manage application performance by fixing issues before user experience is impacted, as well as detect application security threats and vulnerabilities, such as trap doors, backdoors and covert channels, that leave companies wide open to risk. To further mitigate threats, we expect to see increased uptake of application static, dynamic, fuzz and interface testing during the assessment phase, as well as vulnerability assessment and penetration testing, combined with continuous monitoring of applications and infrastructure. Through this approach, businesses will be able to identify application performance issues, threats and vulnerabilities at the earliest possible opportunity, and fully unlock DevSecOps' promised benefits.
Michael Segal
Area VP, Strategy, NetScout


Too often, SecOps or SIEM tools report on issues, but follow-up by DevOps is delayed. For security, this can result in major risks. We'll see wider deployment of tools that close the loop from this monitoring to change management, helping to automate many processes that require manual intervention. An example could be monitoring one's hybrid infrastructure for change in security posture, automatically triggering Ansible Playbooks to correct to the known good baseline.
Brajesh Goyal
VP, Engineering, Cavirin

Read 2019 DevSecOps Predictions - Part 2

Share this

Industry News

April 11, 2024

Check Point® Software Technologies Ltd. announced new email security features that enhance its Check Point Harmony Email & Collaboration portfolio: Patented unified quarantine, DMARC monitoring, archiving, and Smart Banners.

April 11, 2024

Automation Anywhere announced an expanded partnership with Google Cloud to leverage the combined power of generative AI and its own specialized, generative AI automation models to give companies a powerful solution to optimize and transform their business.

April 11, 2024

Jetic announced the release of Jetlets, a low-code and no-code block template, that allows users to easily build any technically advanced integration use case, typically not covered by alternative integration platforms.

April 10, 2024

Progress announced new powerful capabilities and enhancements in the latest release of Progress® Sitefinity®.

April 10, 2024

Buildkite signed a multi-year strategic collaboration agreement (SCA) with Amazon Web Services (AWS), the world's most comprehensive and broadly adopted cloud, to accelerate delivery of cloud-native applications across multiple industries, including digital native, financial services, retail or any enterprise undergoing digital transformation.

April 10, 2024

AppViewX announced new functionality in the AppViewX CERT+ certificate lifecycle management automation product that helps organizations prepare for Google’s proposed 90-day TLS certificate validity policy.

April 09, 2024

Rocket Software is addressing the growing demand for integrated security, compliance, and automation in software development with its latest release of Rocket® DevOps, formerly known as Aldon®.

April 09, 2024

Wind River announced the latest release of Wind River Studio Developer, an edge-to-cloud DevSecOps platform that accelerates development, deployment, and operation of mission-critical systems.

April 09, 2024

appCD announced its generative infrastructure from code solution now supports Azure Kubernetes Service (AKS).

April 09, 2024

Synopsys announced the availability of Black Duck® Supply Chain Edition, a new software composition analysis (SCA) offering that enables organizations to mitigate upstream risk in their software supply chains.

April 09, 2024

DataStax announced innovative integrations with API extensions to Google Cloud’s Vertex AI Extension and Vertex AI Search, offering developers an easier time leveraging their own data.

April 08, 2024

Parasoft introduced C/C++test CT, a comprehensive solution tailored for large teams engaged in the development of safety- and security-critical C and C++ products.

April 08, 2024

Endor Labs announced a strategic partnership with GuidePoint Security.

April 08, 2024

Hasura announced the V3 of its platform, providing on-demand API composability with a new domain-centric supergraph modeling framework, a distributed supergraph execution engine and a rich and extensible ecosystem of open source connectors to address the challenges faced during integration of data and APIs.

April 04, 2024

DataStax has entered into a definitive agreement to acquire AI startup, Logspace, the creators of Langflow, an open source visual framework for building retrieval-augmented generation (RAG) applications.1