2021 DevSecOps Predictions - Part 2
January 28, 2021

DEVOPSdigest asked DevOps and development experts from across the industry for their 2021 DevSecOps predictions:

Start with 2021 DevSecOps Predictions - Part 1


Zero-trust security will become the prevailing model for organizations in 2021. With more companies moving to distributed architectures, technology teams need a scalable way to make security foolproof while managing a growing number of microservices and greater complexity. Companies should act as though every person and service (whether internal or external) could have malicious intent, and implement zero-trust security protocols to adequately protect their services, applications and the data that flows through them. Failure to do so will only result in more high-profile data breaches, widespread outages, and heightened concerns from customers.
Marco Palladino,
CTO and Co-Founder, Kong

The coming year will see an increased focus on implementing zero trust architectures in DevSecOps. As tools for automation continue to improve and advance toward ubiquitous commodity/table stakes, the organizational bottlenecks around "authority to operate" continue to prevent many organizations from fully realizing the velocity to value that DevSecOps facilitates. Organizations that embrace zero trust have a leg up in overcoming this last bastion of traditional "castle and moat" IT security. In the same way that CI/CD and APM established the trust that brought together the development and operator communities, establishing a software defined IT security ecosystem that is equally observable and with no implicit trust is paramount to gaining buy-in of authorizing officials. Paradoxically, proving that from an IT perspective you don't implicitly trust anyone/anything is the key to establishing a high-trust DevSecOps culture.
Bob Ritchie,
VP of Software, SAIC


If 2020 was the year of the API, 2021 will be the year where cloud native security steals the spotlight. The focus will turn to how cloud-based technologies continue to proliferate and increase in adoption across organizations. Securing the resulting ecosystems of interconnected cloud-based solutions will become a priority. In its current state, widespread understanding of cloud native security is still in its infancy. APIs, containers, and orchestration tools are now commonplace in software development, and organizations have been working hard to increase the connectivity between the different tools they have employed to boost efficiency and productivity. But at each point of connection there is risk of a vulnerability that could lead to a breach. In 2021, we will see organizations come to grips with this reality of software complexity and take steps toward protecting themselves.
Erez Yalon
Director of Security Research, Checkmarx


DevOps will take more advantage of security automation in 2021, baking these procedures in from the start and saving a lot of headache. Security management tools and related solutions can be leveraged to implement CI/CD pipelines that are automated, secure, and result in secure applications with minimal exposed threat vectors and vulnerabilities. Also, there's tremendous value in utilizing security-hardened managed services and open source tools, which can further reduce the burden on internal DevOps teams to expedite development without compromising security. Where possible, DevOps teams will increasingly vet and tap managed options rather than building everything from the ground up securely.
Anil Inamdar
VP and Head of US Consulting, Instaclustr


DevOps teams will increasingly turn to behavioral learning-based security strategies as a newer approach to locking down (and preventing) abnormal activities within their production environments. Those that still depend on traditional signature-based threat detection will increasingly realize that their solutions aren't efficient or quick enough to effectively secure modern dynamic workloads, such as those used by container or serverless applications. DevOps security requires threat detection methods that are fast, lightweight, immutable, and built to operate inline and at scale. Behavior detection checks those boxes, and will secure a growing number of production workloads throughout 2021.
Fei Huang
Chief Strategy Officer, NeuVector

ABS: Always Be Securing

The adoption of continuous delivery became a natural extension of the Agile and DevOps transformations of the last decade, yet the adoption of CI/CD pipelines further siloed security as their processes failed to keep up. As organizations continue to evolve their continuous delivery processes in 2021, they will finally include security through SecDevOps orchestration, which ensures a repeatable and reliable execution of the security processes at every step of the SDLC by leveraging automation to scale the program at speed. With SecDevOps, security becomes part of building-in quality from the start so all teams know what the definition of "done" is, which is not about producing perfectly secure code, but understanding each individual application's security profile to prevent and fix the most important security issues early. By continually managing security practices, policies, and debt in existing CI/CD pipelines, SecDevOps orchestration ensures that all teams — Sec, Dev, and Ops — have the information they need at every step of development to share responsibility in delivering secure software.
Brittany Greenfield
CEO & Founder, Wabbi

Testing Prioritizes Security

With digital dominating, our professional and personal lives for the foreseeable security must be prioritized. Despite being in the spotlight, security is still an afterthought when it comes to software development. Testing must focus on ensuring that not only is the digital experience meeting users' expectations but that there are no security issues. This will continue to tip the balance towards quality rather than speed of delivery.
Antony Edwards
COO, Eggplant


In 2021, DevSecOps will become mainstream, especially in regard to stricter audit testing. With the rising importance of data security and increasing regulatory pressures from GDPR, CPA, SOX, etc., DevSecOps teams will look closely for abuse in custom programs surrounding authorization and segregation of duties (SoD) - areas that are vastly overlooked today. Missing authorization checks, for example, can easily create situations where users can view assets and processes that they shouldn’t be able to access, creating compliance concerns and the potential for substantial financial penalties. Just as the popular term “Shift Left” allowed for a more cost-effective solution to fix operational issues in development, DevSecOps “Shift Left” will allow for time and cost savings against costly security issues, compliance penalties and potential reputation concerns.
Shane MacDonald
VP of Global Sales Engineering, Onapsis


Throughout 2020, we’ve witnessed an emerging trend of organizations building applications rapidly using low-code/no-code platforms. Static application security testing (SAST) tools in particular work very well when there is code to scan. I anticipate that in the not-so-distant future, SAST tools will require alterations to the way in which they currently work to accommodate low-code/no-code platforms. I also anticipate changes in how we build software to take place in the foreseeable future. As application security testing tools move towards providing the same experience as low-code/no-code platforms, by providing a few inputs to the tool, they will be able to generate the integrations needed to run the tool on-prem or seamlessly in the cloud. In 2021, I predict that low-code/no-code platforms for application security will emerge and that through such platforms it will become more and more common to see organizations building security into DevOps effectively.
Meera Rao
Senior Director of Product Management, Synopsys

New threats target Infrastructure as Code

As DevOps moves more broadly to use Infrastructure as Code (IaC) to automate provisioning of cloud native platforms, it is only a matter of time before vulnerabilities in these processes are exploited. The use of many templates leaves an opening for attackers to embed deployment automation of their own components, which when executed may allow them to manipulate the cloud infrastructure of their attack targets.
Amir Jerbi
CTO, Aqua Security


Vulnerable APIs will be most responsible for software and application-related breaches: While awareness around API security has improved over the past few years, we can still predict that APIs will remain a top, if not the top, attack vector for adversaries in 2021. While APIs have become a convenient way for developers to build and run more complex web applications, issues like access control pose a challenge to developers as accounting for and eliminating these vulnerabilities is still a difficult task with few easy solutions. As malicious actors continue to ramp up their API-targeted attacks and organizations play catch-up in their understanding of how these programs can be exploited, adversaries will capitalize on this gap in the near-term forcing developers to quickly identify ways to better secure API authentication and authorization processes
Erez Yalon
Director of Security Research, Checkmarx

Share this

Industry News

February 02, 2023

Red Hat announced a multi-stage alliance to offer customers a greater choice of operating systems to run on Oracle Cloud Infrastructure (OCI).

February 02, 2023

Snow Software announced a new global partner program designed to enable partners to support customers as they face complex market challenges around managing cost and mitigating risk, while delivering value more efficiently and effectively with Snow.

February 02, 2023

Contrast Security announced the launch of its new partner program, the Security Innovation Alliance (SIA), which is a global ecosystem of system integrators (SIs), cloud, channel and technology alliances.

February 01, 2023

Red Hat introduced new security and compliance capabilities for the Red Hat OpenShift enterprise Kubernetes platform.

February 01, 2023

Jetpack.io formally launched with Devbox Cloud, a managed service offering for Devbox.

February 01, 2023

Jellyfish launched Life Cycle Explorer, a new solution that identifies bottlenecks in the life cycle of engineering work to help teams adapt workflow processes and more effectively deliver value to customers.

January 31, 2023

Ably announced the Ably Terraform provider.

January 31, 2023

Checkmarx announced the immediate availability of Supply Chain Threat Intelligence, which delivers detailed threat intelligence on hundreds of thousands of malicious packages, contributor reputation, malicious behavior and more.

January 31, 2023

Qualys announced its new GovCloud platform along with the achievement of FedRAMP Ready status at the High impact level, from the Federal Risk and Authorization Management Program (FedRAMP).

January 30, 2023

F5 announced the general availability of F5 NGINXaaS for Azure, an integrated solution co-developed by F5 and Microsoft that empowers enterprises to deliver secure, high-performance applications in the cloud.

January 30, 2023

Tenable announced Tenable Ventures, a corporate investment program.

January 26, 2023

Ubuntu Pro, Canonical’s comprehensive subscription for secure open source and compliance, is now generally available.

January 26, 2023

Mirantis, freeing developers to create their most valuable code, today announced that it has acquired the Santa Clara, California-based Shipa to add automated application discovery, operations, security, and observability to the Lens Kubernetes Platform.

January 25, 2023

SmartBear has integrated the powerful contract testing capabilities of PactFlow with SwaggerHub.

January 25, 2023

Venafi introduced TLS Protect for Kubernetes.