2019 DevSecOps Predictions - Part 2
January 29, 2019

DEVOPSdigest asked DevOps experts for their predictions on how DevSecOps and security-related technologies will evolve and impact DevOps and business in 2019. This is Part 2.

Start with 2019 DevSecOps Predictions - Part 1

APM SUPPORTS DEVSECOPS

Reaching the level of organizational maturity at which DevSecOps teams can function most efficiently and effectively requires siloes of work to be broken down across the organization to foster a culture of collaboration and continuous communication. In 2019 we'll see growing demand for intelligent services that can offer the visibility, insight and common situational awareness that can help to achieve this kind of culture, freeing up the potential of DevSecOps, and affording organizations a greater opportunity for innovation. To establish effective common situational awareness and feedback loop between Dev, Sec, Ops, QA and management teams, the APM would need to collect telemetry and analyze dependencies across the entire stack, including datalink, network, transport, session and application layers. Once application performance and its dependencies on the delivery infrastructure are analyzed, it would be possible to provide actionable intelligence that would enable DevSecOps to collaborate effectively and establish common situational awareness throughout the different stages of the continuous delivery and deployment pipelines.
Michael Segal
Area VP, Strategy, NetScout

MACHINE LEARNING SUPPORTS DEVSECOPS

DevSecOps has historically been viewed as both an art and a science, but we'll see the latter discipline take a more prominent role in 2019. As machine learning and risk engines evolve, they will finally be able to provide companies with valuable security data. This will allow organizations to embed security into all aspects of the software development lifecycle — something that, until now, has been an unattainable goal.
Andrew Useckas
CTO, Threat X

AI AND ML DO NOT HELP SECURITY

I don't think that AI/ML get us very far in security. For threats we understand, like SQL Injection for example, we are better off using strong detection and prevention technologies where we have confidence in exactly what is being checked. For threats we don't understand, AI/ML also don't get us anywhere. We need data to train the models that simply doesn't exist for novel threats. There are some corner cases where AI/ML can be very useful, but it's not going to fundamentally change security.
Jeff Williams
Co-Founder and CTO, Contrast Security

SECURITY DATA SCIENTIST ROLE EMERGES

As AI and ML become mainstream, a new breed of security data scientists will emerge in 2019. AI and ML techniques are data dependent. Preparing, processing, and interpreting data require data scientists to be polymath. They need to know computer science, data science, and above all, need to have domain expertise to be able to tell bad data from good data and bad results from good results. What we have already begun seeing is the need for security experts who understand data science and computer science to be able to first make sense of the security data available to us today. Once this data is prepared, processed and interpreted, it can then be used by AI and ML techniques to automate security in real time.
Setu Kulkarni
VP of Corporate Strategy, WhiteHat Security

CONTINUED APPLICATION LAYER ATTACKS

We'll continue to see application layer attacks, on both custom code vulnerabilities and on vulnerabilities in open source libraries and frameworks.
Jeff Williams
Co-Founder and CTO, Contrast Security

CLOUD SECURITY RISK INCREASES

Regarding security in the cloud, history is likely to repeat itself, and as the move to the cloud continues, we'll inevitably see organizations spin up openly accessible servers and data in the cloud. This risk cannot be remediated with traditional security processes that are incompatible with DevOps CI/CD processes.
Reuven Harrison
CTO and Co-founder, Tufin

We'll see increasing attacks on misconfigured cloud environments. Organizations have been slow about ensuring that every cloud deployment is fully automated and continuously monitored.
Jeff Williams
Co-Founder and CTO, Contrast Security

CLOUD NATIVE CREATES NEW RISKS

New security risks will arise as the result of the complexity and immaturity of cloud-native environments. Cloud-native environments are inherently more secure when built and used properly. But the influx of the new technologies, tools, and knowledge to handle the extensive configuration of these systems is largely is unfamiliar to many DevOps and security teams. In 2019, these teams must figure out what proper configurations look like and how to get up to scale security quickly to hedge against risks and external threats.
Kamal Shah
CEO, StackRox

FOCUS ON CLOUD NATIVE SECURITY

In 2019, we'll see more emphasis on security in cloud native organizations. Many are talking about it; this will be the year that they take action. To do this, there will be an emphasis on automation. There's no way that DevOps teams can get security into their environments without automation. To secure cloud-native environments, you must approach it from an automation-first perspective.
Reuven Harrison
CTO and Co-founder, Tufin

KUBERNETES SECURITY BECOMES ESSENTIAL

Kubernetes security will be even more critical to the holistic security of containerized environments.
Kubernetes is the orchestrator of choice for most container deployments and is central to effective container security. Kubernetes-related misconfigurations can expose organizations to significant risk if not set up properly. Moreover, the greater adoption of Kubernetes means more frequent targeting by attackers. The focus on Kubernetes over the next year has to turn from adoption to protection and hardening. Strong Kubernetes security is essential to protect containerized applications effectively.
Kamal Shah
CEO, StackRox

SOLVING SECURITY COMPLIANCE WITH DEVOPS

Innovation spurs security compliance resolution: The networking community will need to solve the issues of security compliance within DevOps. Security compliance is about making sure policies are not only followed but also ensuring local authentication credentials are rotated on a set schedule, keeping the operating system patched, and validating that improper access is not available at a service or application level. By adopting a more innovative, microservices-based approach to DevOps, the networking communications can help ensure that security compliance is top of mind for operators.
Glenn Sullivan
Co-Founder, SnapRoute

OPEN SOURCE DRIVES CODE QUALITY AND SECURITY

Code quality will be tied to security, and open source will be a driver. Developers have long realized that open source logically can make code more secure, simply because more people are analyzing the code. Some of the world's largest conglomerates rely on open source for security. For example, Microsoft's acquisition of GitHub this year portended its status as the world's largest contributor to open source projects on GitHub, a strong indicator that the world's most influential companies value code quality. This critical mass will take hold in 2019, and more companies will embrace open source to improve quality of their code.
Albert Ziegler
Data Scientist, Semmle

FOCUS ON THIRD-PARTY API SECURITY

In 2019, companies will start to become sensitive to their developers' use of calls out to third-party APIs. It's a blind spot in the vast majority of IT organizations, similar to the way that open source was ten years ago. Most companies understand the importance of ensuring that the APIs they publish are secure from outside attack, but few are even tracking their own code's use of web services via calls to third-party APIs from the inside out. Although there are other legal and business risks that come with reliance on third-party services, the visibility will likely arise from companies having to account for confidential data they are inadvertently passing to unknown and untrusted sources outside their firewalls.
Phil Odence
GM of Black Duck On-Demand, Synopsys

IDENTITIES BECOME THE NEW SECURITY PERIMETER

Identities will become the new security perimeter: In 2019, the big cloud providers will start to realize that most enterprises are not going to migrate 100% of their applications to public cloud and will focus on delivering solutions that provide a seamless hybrid cloud experience. This will further blur the definition of the security perimeter, effectively making "identities" the new perimeter. Couple this paradigm shift with the unprecedented levels of automation that give identities vast power and enterprises will begin to rethink their approach to managing identity privileges across clouds. Enterprises will move away from depending on static role-based access controls (RBAC) to manage identity privileges and will start to turn to more dynamic authorization models (like activity-based controls) to achieve the principal of least principal.
Balaji Parimi
CEO, CloudKnox Security

SECURITY IN 2019: NO PROGRESS?

Expect a giant leap for the security industry — not quite. I would be thrilled if this was the year that the security industry buckled down and started to focus on basic blocking and tackling — generating real assurance around the most likely and dangerous attacks. But probably it will be another year of knee jerk reactions and point solutions.
Jeff Williams
Co-Founder and CTO, Contrast Security

Share this

Industry News

July 09, 2020

ShiftLeft released a new version of NextGen Static Analysis (NG SAST), including new workflows, purpose-built for developers that significantly improve security, while enhancing productivity.

July 09, 2020

RunSafe Security announced a partnership with JFrog that will enable RunSafe to supercharge binary protections via a simple plugin that JFrog users can deploy within their Artifactory repositories and instantly protect binaries and containers.

July 09, 2020

LeanIX closed $80 million in Series D funding led by new investor Goldman Sachs Growth.

July 08, 2020

Afi.ai introduced Afi Data Platform, a cloud-based replication and resiliency service that helps to monitor, predict downtime and recover K8s applications.

July 08, 2020

D2iQ announced the release of Conductor, a new interactive learning platform that enables enterprises to access hands-on cloud native courses and training.

July 08, 2020

SUSE entered into a definitive agreement to acquire Rancher Labs.

July 07, 2020

Micro Focus announced AI-powered enhancements to the intelligent testing capabilities of the UFT Family, a unified set of solutions designed to reduce the overall complexity of automating the functional testing processes.

July 07, 2020

Push Technology announced the launch of a new Service API capability for Diffusion Cloud, Push’s Real-Time API Management Cloud Platform.

July 07, 2020

Lightrun exited stealth and announced $4M in seed funding for the first complete continuous debugging and observability platform for production applications.

July 01, 2020

JFrog announced the launch of ChartCenter, a free, security-focused central repository of Helm charts for the community.

July 01, 2020

Kong announced a significant upgrade to open source Kuma, Kuma 0.6, available today.

July 01, 2020

Compuware Corporation, a BMC company, announced new capabilities that further automate and integrate test data and test case execution, empowering IT teams to achieve high-performance application development quality, velocity and efficiency.

June 30, 2020

Couchbase announced the general availability of Couchbase Cloud, a fully-managed Database-as-a-Service (DBaaS).

June 30, 2020

Split Software announced new capabilities designed to accelerate the adoption of feature flags in large-scale organizations.

June 30, 2020

WhiteHat Security announced a discounted Web + Mobile Application Security bundle to help organizations secure the digital future.