ShiftLeft released a new version of NextGen Static Analysis (NG SAST), including new workflows, purpose-built for developers that significantly improve security, while enhancing productivity.
As part of DEVOPSdigest's 2020 predictions, industry experts offer predictions on how DevSecOps and related technologies will evolve and impact the business in 2020.
Start with 2020 DevOps Predictions
2019 marked a year of record breaking losses due to over zealous digital transformation issues. Issues created by lack of communication and visibility across the silos being key contributors. 2020 will mark the year of the Digital Transformation winners like the NFL being shined a light on. The year the 70-80% of Fortune 2000 failing at digital transformation, their vendors, and advisors — will take pause to think outside the box. They will finally realize that doing the same thing over and over while expecting a different result is the very definition of insanity and their inherent failure. 2020 will be the pivotal year for the Business, Security, Dev and Ops teams to work together to overcome the visibility challenges across their organizations causing the mass losses in planning and predictions. Tools that enable data integration across licensing, cloud, costs, and resources will further consolidate and the real data platform vendors will start to solve the Digital Dilemma once and for all.
Author and Strategist, iSpeak Cloud
SECURE BY DESIGN
In 2020, the principle of "secure by design" will attract greater attention, as it is a core cloud-native computing principle. DevSecOps will thus be less of a difficult combination of security and DevOps, and more of a business and architecture-driven approach that becomes an essential driver of appdev.
DEVOPS AND DEVSECOPS CONVERGENCE
DevOps will become part of every security discussion and security will become a part of every DevOps discussion. We will no longer need to use and explain the term DevSecOps.
DevOps Evangelist and Product Suite Marketing, CloudBees
CISO JOINS THE DEVOPS TEAM
The Chief Information Security Officer (CISO) will be part of the DevOps team, influencing a holistic approach to security within DevOps pipelines. Just as DevOps strives to deliver value quickly to the customer, it has the potential to unintentionally introduce security vulnerabilities quickly as well. This has spurred DevOps teams to embed security testing in the DevOps pipeline, increasing the sense of shared responsibility for security. Over the course of 2020, any remaining barriers between CISO staff and DevOps teams will be broken down, with CISO staff becoming full-fledged members of the DevOps team. Security will no longer be a bolt-on activity, and will become a standard component of any DevOps pipeline. Through closer cooperation with the CISO, DevOps security testing will go beyond static and dynamic application security testing (SAST and DAST) and adherence to corporate and regulatory policies. Acknowledging that no software is immune to attack, continuous testing will also include regular, proactive testing of security incident response and damage control protocols, to ensure that any breach can be contained immediately and its effects and costs limited.
Senior Solutions Manager, Application Delivery Management, Micro Focus
DEVSECOPS MERGES WITH ENGINEERING
At a high level, SaaS apps have highly tailored needs when it comes to information security and protecting customer data, and will require guidance and prioritization from product teams. Implementing these InfoSec needs will require the expertise of the security team, as well as resources of the engineering team, which are allocated by the product teams. Therefore, I predict that DevSecOps will merge into engineering and be guided by product. Currently, this is from an operational point of view due to the proximity to DevOps' technical capabilities. However, I see it as a strong business need that requires product and customer knowledge, to keep up with the increasing complexity of SaaS apps and the sensitive data these apps can access.
Shahar Ben Hador
VP, Product Management, Exabeam
AIOPS UNIFIES SECURITY AND OPS
DevOps organizations continue to adopt AIOps solutions at a rapid clip. SIEM vendors are exploring how AI/ML technology can add operational intelligence to their security event-driven processes. 2020 will see these two parallel drives begin to intersect. AIOps tools will begin to unify IT Operations and Information Security against the explosion of next-generation zero-day threats. The challenges of modern IT environments (i.e. multi-cloud, serverless, etc.) and continued vendor innovation will both fuel this trend.
Chief Evangelist, Moogsoft
SHARED SECURITY RESPONSIBILITY
Until the "shared security responsibility" among teams is complete, we will continue to face serious breaches. Now that a cultural shift has broken down the specialization between development and security teams, creating an environment of shared responsibility, infrastructure as code and orchestration has become more challenging. The truth is, it's not always clear what security responsibilities fall on Dev, Ops — or to both acting in concert. Until we see a re-balancing of security responsibilities explicitly into this shared model, we're going to see stuff fall through the cracks and result in serious breaches. Some organizations have focused on containers as a single point of control and means of addressing this complexity, but containers frequently don't provide the visibility and resolution to tackle security comprehensively.
Ernesto DiGiambattistaFounder, ZeroNorth
Security organizations will begin accepting that there is just too much to do, and not enough resources. Teams will start looking for methods to make the overall process less demanding as well as for new techniques to allocate resources most effectively. Vendors will start to focus more on making the process easier, while teams will start to lean more on defense in depth than perhaps they were previously. Prioritization techniques and frameworks will start having a seat at the front of the table. Asset management, discovery, and documentation will continue to be a challenge for enterprise organizations
Product Manager, WhiteHat Security