2021 DevSecOps Predictions - Part 2
January 28, 2021

DEVOPSdigest asked DevOps and development experts from across the industry for their 2021 DevSecOps predictions:

Start with 2021 DevSecOps Predictions - Part 1

ZERO-TRUST SECURITY

Zero-trust security will become the prevailing model for organizations in 2021. With more companies moving to distributed architectures, technology teams need a scalable way to make security foolproof while managing a growing number of microservices and greater complexity. Companies should act as though every person and service (whether internal or external) could have malicious intent, and implement zero-trust security protocols to adequately protect their services, applications and the data that flows through them. Failure to do so will only result in more high-profile data breaches, widespread outages, and heightened concerns from customers.
Marco Palladino,
CTO and Co-Founder, Kong

The coming year will see an increased focus on implementing zero trust architectures in DevSecOps. As tools for automation continue to improve and advance toward ubiquitous commodity/table stakes, the organizational bottlenecks around "authority to operate" continue to prevent many organizations from fully realizing the velocity to value that DevSecOps facilitates. Organizations that embrace zero trust have a leg up in overcoming this last bastion of traditional "castle and moat" IT security. In the same way that CI/CD and APM established the trust that brought together the development and operator communities, establishing a software defined IT security ecosystem that is equally observable and with no implicit trust is paramount to gaining buy-in of authorizing officials. Paradoxically, proving that from an IT perspective you don't implicitly trust anyone/anything is the key to establishing a high-trust DevSecOps culture.
Bob Ritchie,
VP of Software, SAIC

CLOUD-NATIVE SECURITY TAKES CENTER STAGE

If 2020 was the year of the API, 2021 will be the year where cloud native security steals the spotlight. The focus will turn to how cloud-based technologies continue to proliferate and increase in adoption across organizations. Securing the resulting ecosystems of interconnected cloud-based solutions will become a priority. In its current state, widespread understanding of cloud native security is still in its infancy. APIs, containers, and orchestration tools are now commonplace in software development, and organizations have been working hard to increase the connectivity between the different tools they have employed to boost efficiency and productivity. But at each point of connection there is risk of a vulnerability that could lead to a breach. In 2021, we will see organizations come to grips with this reality of software complexity and take steps toward protecting themselves.
Erez Yalon
Director of Security Research, Checkmarx

SECURITY AUTOMATION

DevOps will take more advantage of security automation in 2021, baking these procedures in from the start and saving a lot of headache. Security management tools and related solutions can be leveraged to implement CI/CD pipelines that are automated, secure, and result in secure applications with minimal exposed threat vectors and vulnerabilities. Also, there's tremendous value in utilizing security-hardened managed services and open source tools, which can further reduce the burden on internal DevOps teams to expedite development without compromising security. Where possible, DevOps teams will increasingly vet and tap managed options rather than building everything from the ground up securely.
Anil Inamdar
VP and Head of US Consulting, Instaclustr

BEHAVIORAL LEARNING-BASED SECURITY

DevOps teams will increasingly turn to behavioral learning-based security strategies as a newer approach to locking down (and preventing) abnormal activities within their production environments. Those that still depend on traditional signature-based threat detection will increasingly realize that their solutions aren't efficient or quick enough to effectively secure modern dynamic workloads, such as those used by container or serverless applications. DevOps security requires threat detection methods that are fast, lightweight, immutable, and built to operate inline and at scale. Behavior detection checks those boxes, and will secure a growing number of production workloads throughout 2021.
Fei Huang
Chief Strategy Officer, NeuVector

ABS: Always Be Securing

The adoption of continuous delivery became a natural extension of the Agile and DevOps transformations of the last decade, yet the adoption of CI/CD pipelines further siloed security as their processes failed to keep up. As organizations continue to evolve their continuous delivery processes in 2021, they will finally include security through SecDevOps orchestration, which ensures a repeatable and reliable execution of the security processes at every step of the SDLC by leveraging automation to scale the program at speed. With SecDevOps, security becomes part of building-in quality from the start so all teams know what the definition of "done" is, which is not about producing perfectly secure code, but understanding each individual application's security profile to prevent and fix the most important security issues early. By continually managing security practices, policies, and debt in existing CI/CD pipelines, SecDevOps orchestration ensures that all teams — Sec, Dev, and Ops — have the information they need at every step of development to share responsibility in delivering secure software.
Brittany Greenfield
CEO & Founder, Wabbi

Testing Prioritizes Security

With digital dominating, our professional and personal lives for the foreseeable security must be prioritized. Despite being in the spotlight, security is still an afterthought when it comes to software development. Testing must focus on ensuring that not only is the digital experience meeting users' expectations but that there are no security issues. This will continue to tip the balance towards quality rather than speed of delivery.
Antony Edwards
COO, Eggplant

DEVSECOPS ENSURES COMPLIANCE

In 2021, DevSecOps will become mainstream, especially in regard to stricter audit testing. With the rising importance of data security and increasing regulatory pressures from GDPR, CPA, SOX, etc., DevSecOps teams will look closely for abuse in custom programs surrounding authorization and segregation of duties (SoD) - areas that are vastly overlooked today. Missing authorization checks, for example, can easily create situations where users can view assets and processes that they shouldn’t be able to access, creating compliance concerns and the potential for substantial financial penalties. Just as the popular term “Shift Left” allowed for a more cost-effective solution to fix operational issues in development, DevSecOps “Shift Left” will allow for time and cost savings against costly security issues, compliance penalties and potential reputation concerns.
Shane MacDonald
VP of Global Sales Engineering, Onapsis

LOW-CODE/NO-CODE PLATFORMS FOR APPLICATION SECURITY

Throughout 2020, we’ve witnessed an emerging trend of organizations building applications rapidly using low-code/no-code platforms. Static application security testing (SAST) tools in particular work very well when there is code to scan. I anticipate that in the not-so-distant future, SAST tools will require alterations to the way in which they currently work to accommodate low-code/no-code platforms. I also anticipate changes in how we build software to take place in the foreseeable future. As application security testing tools move towards providing the same experience as low-code/no-code platforms, by providing a few inputs to the tool, they will be able to generate the integrations needed to run the tool on-prem or seamlessly in the cloud. In 2021, I predict that low-code/no-code platforms for application security will emerge and that through such platforms it will become more and more common to see organizations building security into DevOps effectively.
Meera Rao
Senior Director of Product Management, Synopsys

New threats target Infrastructure as Code

As DevOps moves more broadly to use Infrastructure as Code (IaC) to automate provisioning of cloud native platforms, it is only a matter of time before vulnerabilities in these processes are exploited. The use of many templates leaves an opening for attackers to embed deployment automation of their own components, which when executed may allow them to manipulate the cloud infrastructure of their attack targets.
Amir Jerbi
CTO, Aqua Security

API REMAINS TOP ATTACK VECTOR

Vulnerable APIs will be most responsible for software and application-related breaches: While awareness around API security has improved over the past few years, we can still predict that APIs will remain a top, if not the top, attack vector for adversaries in 2021. While APIs have become a convenient way for developers to build and run more complex web applications, issues like access control pose a challenge to developers as accounting for and eliminating these vulnerabilities is still a difficult task with few easy solutions. As malicious actors continue to ramp up their API-targeted attacks and organizations play catch-up in their understanding of how these programs can be exploited, adversaries will capitalize on this gap in the near-term forcing developers to quickly identify ways to better secure API authentication and authorization processes
Erez Yalon
Director of Security Research, Checkmarx

Share this

Industry News

May 05, 2021

Splunk announced the new Splunk Observability Cloud, the full-stack, analytics-powered and enterprise-grade Observability solution.

May 05, 2021

Amazon Web Services announced the general availability of Amazon DevOps Guru, a fully managed operations service that uses machine learning to make it easier for developers to improve application availability by automatically detecting operational issues and recommending specific actions for remediation.

May 05, 2021

SmartBear has added API testing support for the popular, open source event streaming platform, Apache Kafka.

May 05, 2021

Red Hat unveiled its Developer Sandbox for Red Hat OpenShift, an OpenShift-based development environment designed to enable organizations to accelerate the path from code to production for Kubernetes-based applications.

May 05, 2021

DevOps Institute announced the lineup for SKILup Days in the second quarter of 2021.

May 05, 2021

Idera announced the acquisition of Xblend Software.

May 04, 2021

ThoughtSpot announced the launch of ThoughtSpot Everywhere.

May 04, 2021

Perforce Software announced the availability of virtual devices (Android emulators and iOS simulators) as part of the comprehensive device lab within Perfecto’s Intelligent Test Automation platform.

May 04, 2021

LogiGear announced the newest release of its flagship TestArchitect™ Enterprise product, TestArchitect Enterprise 9.0.

May 04, 2021

Rafay Systems announced new enhancements to its flagship Kubernetes Management Cloud (KMC).

May 04, 2021

Opsera announced $15 million in Series A funding led by Felicis Ventures.

May 03, 2021

Red Hat announced the general availability of OpenShift GitOps and OpenShift Pipelines, new features of Red Hat OpenShift.

May 03, 2021

Rackspace Technology made a strategic investment in Platform9 and launched Rackspace Managed Platform for Kubernetes (MPK).

May 03, 2021

Imperva announced it has entered into an agreement to acquire CloudVector.

May 03, 2021

JFrogwill be expanding its presence in the Asia-Pacific (APAC) region, specifically in the People’s Republic of China.