DevOps Institute will host SKILup Festival in Singapore on November 15, 2022.
DEVOPSdigest asked DevOps and development experts from across the industry for their 2021 DevSecOps predictions:
Start with 2021 DevSecOps Predictions - Part 1
Zero-trust security will become the prevailing model for organizations in 2021. With more companies moving to distributed architectures, technology teams need a scalable way to make security foolproof while managing a growing number of microservices and greater complexity. Companies should act as though every person and service (whether internal or external) could have malicious intent, and implement zero-trust security protocols to adequately protect their services, applications and the data that flows through them. Failure to do so will only result in more high-profile data breaches, widespread outages, and heightened concerns from customers.
CTO and Co-Founder, Kong
The coming year will see an increased focus on implementing zero trust architectures in DevSecOps. As tools for automation continue to improve and advance toward ubiquitous commodity/table stakes, the organizational bottlenecks around "authority to operate" continue to prevent many organizations from fully realizing the velocity to value that DevSecOps facilitates. Organizations that embrace zero trust have a leg up in overcoming this last bastion of traditional "castle and moat" IT security. In the same way that CI/CD and APM established the trust that brought together the development and operator communities, establishing a software defined IT security ecosystem that is equally observable and with no implicit trust is paramount to gaining buy-in of authorizing officials. Paradoxically, proving that from an IT perspective you don't implicitly trust anyone/anything is the key to establishing a high-trust DevSecOps culture.
VP of Software, SAIC
CLOUD-NATIVE SECURITY TAKES CENTER STAGE
If 2020 was the year of the API, 2021 will be the year where cloud native security steals the spotlight. The focus will turn to how cloud-based technologies continue to proliferate and increase in adoption across organizations. Securing the resulting ecosystems of interconnected cloud-based solutions will become a priority. In its current state, widespread understanding of cloud native security is still in its infancy. APIs, containers, and orchestration tools are now commonplace in software development, and organizations have been working hard to increase the connectivity between the different tools they have employed to boost efficiency and productivity. But at each point of connection there is risk of a vulnerability that could lead to a breach. In 2021, we will see organizations come to grips with this reality of software complexity and take steps toward protecting themselves.
Director of Security Research, Checkmarx
DevOps will take more advantage of security automation in 2021, baking these procedures in from the start and saving a lot of headache. Security management tools and related solutions can be leveraged to implement CI/CD pipelines that are automated, secure, and result in secure applications with minimal exposed threat vectors and vulnerabilities. Also, there's tremendous value in utilizing security-hardened managed services and open source tools, which can further reduce the burden on internal DevOps teams to expedite development without compromising security. Where possible, DevOps teams will increasingly vet and tap managed options rather than building everything from the ground up securely.
VP and Head of US Consulting, Instaclustr
BEHAVIORAL LEARNING-BASED SECURITY
DevOps teams will increasingly turn to behavioral learning-based security strategies as a newer approach to locking down (and preventing) abnormal activities within their production environments. Those that still depend on traditional signature-based threat detection will increasingly realize that their solutions aren't efficient or quick enough to effectively secure modern dynamic workloads, such as those used by container or serverless applications. DevOps security requires threat detection methods that are fast, lightweight, immutable, and built to operate inline and at scale. Behavior detection checks those boxes, and will secure a growing number of production workloads throughout 2021.
Chief Strategy Officer, NeuVector
ABS: Always Be Securing
The adoption of continuous delivery became a natural extension of the Agile and DevOps transformations of the last decade, yet the adoption of CI/CD pipelines further siloed security as their processes failed to keep up. As organizations continue to evolve their continuous delivery processes in 2021, they will finally include security through SecDevOps orchestration, which ensures a repeatable and reliable execution of the security processes at every step of the SDLC by leveraging automation to scale the program at speed. With SecDevOps, security becomes part of building-in quality from the start so all teams know what the definition of "done" is, which is not about producing perfectly secure code, but understanding each individual application's security profile to prevent and fix the most important security issues early. By continually managing security practices, policies, and debt in existing CI/CD pipelines, SecDevOps orchestration ensures that all teams — Sec, Dev, and Ops — have the information they need at every step of development to share responsibility in delivering secure software.
CEO & Founder, Wabbi
Testing Prioritizes Security
With digital dominating, our professional and personal lives for the foreseeable security must be prioritized. Despite being in the spotlight, security is still an afterthought when it comes to software development. Testing must focus on ensuring that not only is the digital experience meeting users' expectations but that there are no security issues. This will continue to tip the balance towards quality rather than speed of delivery.
DEVSECOPS ENSURES COMPLIANCE
In 2021, DevSecOps will become mainstream, especially in regard to stricter audit testing. With the rising importance of data security and increasing regulatory pressures from GDPR, CPA, SOX, etc., DevSecOps teams will look closely for abuse in custom programs surrounding authorization and segregation of duties (SoD) - areas that are vastly overlooked today. Missing authorization checks, for example, can easily create situations where users can view assets and processes that they shouldn’t be able to access, creating compliance concerns and the potential for substantial financial penalties. Just as the popular term “Shift Left” allowed for a more cost-effective solution to fix operational issues in development, DevSecOps “Shift Left” will allow for time and cost savings against costly security issues, compliance penalties and potential reputation concerns.
VP of Global Sales Engineering, Onapsis
LOW-CODE/NO-CODE PLATFORMS FOR APPLICATION SECURITY
Throughout 2020, we’ve witnessed an emerging trend of organizations building applications rapidly using low-code/no-code platforms. Static application security testing (SAST) tools in particular work very well when there is code to scan. I anticipate that in the not-so-distant future, SAST tools will require alterations to the way in which they currently work to accommodate low-code/no-code platforms. I also anticipate changes in how we build software to take place in the foreseeable future. As application security testing tools move towards providing the same experience as low-code/no-code platforms, by providing a few inputs to the tool, they will be able to generate the integrations needed to run the tool on-prem or seamlessly in the cloud. In 2021, I predict that low-code/no-code platforms for application security will emerge and that through such platforms it will become more and more common to see organizations building security into DevOps effectively.
Senior Director of Product Management, Synopsys
New threats target Infrastructure as Code
As DevOps moves more broadly to use Infrastructure as Code (IaC) to automate provisioning of cloud native platforms, it is only a matter of time before vulnerabilities in these processes are exploited. The use of many templates leaves an opening for attackers to embed deployment automation of their own components, which when executed may allow them to manipulate the cloud infrastructure of their attack targets.
CTO, Aqua Security
API REMAINS TOP ATTACK VECTOR
Vulnerable APIs will be most responsible for software and application-related breaches: While awareness around API security has improved over the past few years, we can still predict that APIs will remain a top, if not the top, attack vector for adversaries in 2021. While APIs have become a convenient way for developers to build and run more complex web applications, issues like access control pose a challenge to developers as accounting for and eliminating these vulnerabilities is still a difficult task with few easy solutions. As malicious actors continue to ramp up their API-targeted attacks and organizations play catch-up in their understanding of how these programs can be exploited, adversaries will capitalize on this gap in the near-term forcing developers to quickly identify ways to better secure API authentication and authorization processes
Director of Security Research, Checkmarx