ShiftLeft released a new version of NextGen Static Analysis (NG SAST), including new workflows, purpose-built for developers that significantly improve security, while enhancing productivity.
As part of DEVOPSdigest's 2020 predictions, industry experts offer predictions on how DevSecOps and related technologies will evolve and impact the business in 2020. Part 2 offers predictions about shifting left, automation and more.
Start with 2020 DevSecOps Predictions - Part 1
Start with 2020 DevOps Predictions
It's time for DevSecOps to really start catching on. The increase in cyber incidents should be enough warning for organizations that they have to start doing a better job with cybersecurity and AppSec. DevSecOps means getting security to permeate your entire process and organization. Part of this is testing early and often, which is achieved with technologies like service virtualization and modern test automation tools. Organizations that are serious about security will shift even further left by building code and systems that are more secure in the first place. This will be done like other industries by relying on known best practices as embodied in proven quality, safety, and security coding standards like MISRA, UL 2900, and CERT.
Security will continue to "Shift Left" (with a little help from the cloud). The rise of cloud infrastructure will be a positive force in driving this change. DevOps will help — ensuring the value of security is front and center. As security is tackled early in the development process, companies will no longer be able to sidestep or delay security processes and procedures, let alone question if they're affordable.
SVP of Engineering, PagerDuty
DevSecOps will shift left as enterprises prioritize security and employee privacy: A reported 53% of online users are currently more concerned about their online privacy compared to a year ago. With heightened privacy concerns, there will be an increased focus on addressing both corporate security and user privacy concerns much earlier in the development cycle. Dev teams will start investigating tech that provides granular controls that address both security and privacy, such as app level security. In parallel, teams will also investigate how to automate security integration into the development lifecycle. Cybersecurity programming skills are in short supply and there is no cost effective way for teams to address the growing dev demands through solely manual coding. Having security automatically integrated addresses the mundane nature of certain repeatable processes, freeing up developer time. More importantly, automation that brings in security tech early in the lifecycle allows the entire solution to be tested at once, again saving dev cycles. If security isn't shifted left (i.e., brought into the dev cycle early) testing will have to be repeated once security is added in.
VP of Products, Blue Cedar
There are more apps in production than before, and the risk of apps being breached at this stage is at an all-time high. Apps in production are most vulnerable, with a higher time to fix and window of exposure. Plus, with most development teams short on resources, it's often hard for them to focus on the security aspect. Therefore, these apps are easy for hackers to exploit. In fact, an average of more than 50% of apps are always vulnerable for organizations that don't have the right secure development practices in place. When you "think right" you are: starting with highest-risk apps in production to find and fix vulnerabilities; incorporating security measures at the most critical points in the software lifecycle (SLC), starting with production ; integrating security throughout the SLC from production all the way to development. In 2020, we will see this approach being adopted more widely.
VP, Strategy and Business Development, WhiteHat Security
AUTOMATION OF SECURITY
We're going to see security engineering — DevSecOps — become actual practice. Teams will be writing more code that automates security controls and compliance requirements. The need here is inevitable and urgent: because so much of this cloud-native world is highly dynamic, with so many moving parts, we can no longer get by with people manually doing security or compliance checks. Security and compliance controls must be automated if we are going to truly realize the time-to-market promise of containerization.
CTO and Co-Founder, Styra
In 2020, we will see organizations automating enforcement, remediation, and response as it relates to cybersecurity. Trying to "Shift Left," cover the middle, and respond to runtime attacks is simply too much to handle without tapping into the power of automation. At the same time, security automation is risky. What if you disrupt services and cause an outage? Now that we have automated most every other piece in the development lifecycle, it's time to figure out how to take security automation to the next level. Just as technology and automation has empowered developers and applications, it too will empower security. In 2020, we will see the difficult and complex security issues addressed with automation. This will extend from early enforcement before deployment, to continuous security of infrastructure, to automating incident response at run-time.
Director of Research, Lacework
Security "policy as code" — and overall, easier security automation — will change how DevOps (and DevSecOps) teams approach container security in 2020. Kubernetes ConfigMaps and Custom Resource Definitions (CRDs) are making it possible for configurations and rules to be automated right into the CI/CD and DevOps pipeline. Because of this, DevOps teams in 2020 will be much better equipped to analyze application behavior and set security policies for any and all workload deployments via YAML files. Expect this evolution of more efficient and automated security integration processes to be a particularly welcome change for DevOps.
DEVSECOPS BUILT INTO CI
With the rising number of data breaches and increased emphasis on data privacy regulations such as PSD2 and GDPR both in the US and globally, DevOps-savvy organizations will be forced to prioritize diligence in security measures over time to market in the year ahead. As new regulations are put into place, more application developers will be mandated to build strict security policies directly within code. There will be an uptick in DevOps tools that cater to automating more compliance-related tasks within infosec teams, thus incorporating security and compliance measures into every day CI (continuous integration) workflows.
Senior Product Manager, Akamai
DEVSECOPS UNLOCKS POWER OF THE CLOUD
As enterprises realize the necessity and opportunity of integrating security into the CI/CD pipeline in 2020, they will simultaneously unlock the promise of the cloud for extreme agility while improving overall security and compliance. As a bonus, doing this well can eliminate the historical conflict between application/development and security and turn it into a positive, beneficial collaboration.
CTO and Co-founder, Tufin