2021 DevSecOps Predictions - Part 2
January 28, 2021

DEVOPSdigest asked DevOps and development experts from across the industry for their 2021 DevSecOps predictions:

Start with 2021 DevSecOps Predictions - Part 1

ZERO-TRUST SECURITY

Zero-trust security will become the prevailing model for organizations in 2021. With more companies moving to distributed architectures, technology teams need a scalable way to make security foolproof while managing a growing number of microservices and greater complexity. Companies should act as though every person and service (whether internal or external) could have malicious intent, and implement zero-trust security protocols to adequately protect their services, applications and the data that flows through them. Failure to do so will only result in more high-profile data breaches, widespread outages, and heightened concerns from customers.
Marco Palladino,
CTO and Co-Founder, Kong

The coming year will see an increased focus on implementing zero trust architectures in DevSecOps. As tools for automation continue to improve and advance toward ubiquitous commodity/table stakes, the organizational bottlenecks around "authority to operate" continue to prevent many organizations from fully realizing the velocity to value that DevSecOps facilitates. Organizations that embrace zero trust have a leg up in overcoming this last bastion of traditional "castle and moat" IT security. In the same way that CI/CD and APM established the trust that brought together the development and operator communities, establishing a software defined IT security ecosystem that is equally observable and with no implicit trust is paramount to gaining buy-in of authorizing officials. Paradoxically, proving that from an IT perspective you don't implicitly trust anyone/anything is the key to establishing a high-trust DevSecOps culture.
Bob Ritchie,
VP of Software, SAIC

CLOUD-NATIVE SECURITY TAKES CENTER STAGE

If 2020 was the year of the API, 2021 will be the year where cloud native security steals the spotlight. The focus will turn to how cloud-based technologies continue to proliferate and increase in adoption across organizations. Securing the resulting ecosystems of interconnected cloud-based solutions will become a priority. In its current state, widespread understanding of cloud native security is still in its infancy. APIs, containers, and orchestration tools are now commonplace in software development, and organizations have been working hard to increase the connectivity between the different tools they have employed to boost efficiency and productivity. But at each point of connection there is risk of a vulnerability that could lead to a breach. In 2021, we will see organizations come to grips with this reality of software complexity and take steps toward protecting themselves.
Erez Yalon
Director of Security Research, Checkmarx

SECURITY AUTOMATION

DevOps will take more advantage of security automation in 2021, baking these procedures in from the start and saving a lot of headache. Security management tools and related solutions can be leveraged to implement CI/CD pipelines that are automated, secure, and result in secure applications with minimal exposed threat vectors and vulnerabilities. Also, there's tremendous value in utilizing security-hardened managed services and open source tools, which can further reduce the burden on internal DevOps teams to expedite development without compromising security. Where possible, DevOps teams will increasingly vet and tap managed options rather than building everything from the ground up securely.
Anil Inamdar
VP and Head of US Consulting, Instaclustr

BEHAVIORAL LEARNING-BASED SECURITY

DevOps teams will increasingly turn to behavioral learning-based security strategies as a newer approach to locking down (and preventing) abnormal activities within their production environments. Those that still depend on traditional signature-based threat detection will increasingly realize that their solutions aren't efficient or quick enough to effectively secure modern dynamic workloads, such as those used by container or serverless applications. DevOps security requires threat detection methods that are fast, lightweight, immutable, and built to operate inline and at scale. Behavior detection checks those boxes, and will secure a growing number of production workloads throughout 2021.
Fei Huang
Chief Strategy Officer, NeuVector

ABS: Always Be Securing

The adoption of continuous delivery became a natural extension of the Agile and DevOps transformations of the last decade, yet the adoption of CI/CD pipelines further siloed security as their processes failed to keep up. As organizations continue to evolve their continuous delivery processes in 2021, they will finally include security through SecDevOps orchestration, which ensures a repeatable and reliable execution of the security processes at every step of the SDLC by leveraging automation to scale the program at speed. With SecDevOps, security becomes part of building-in quality from the start so all teams know what the definition of "done" is, which is not about producing perfectly secure code, but understanding each individual application's security profile to prevent and fix the most important security issues early. By continually managing security practices, policies, and debt in existing CI/CD pipelines, SecDevOps orchestration ensures that all teams — Sec, Dev, and Ops — have the information they need at every step of development to share responsibility in delivering secure software.
Brittany Greenfield
CEO & Founder, Wabbi

Testing Prioritizes Security

With digital dominating, our professional and personal lives for the foreseeable security must be prioritized. Despite being in the spotlight, security is still an afterthought when it comes to software development. Testing must focus on ensuring that not only is the digital experience meeting users' expectations but that there are no security issues. This will continue to tip the balance towards quality rather than speed of delivery.
Antony Edwards
COO, Eggplant

DEVSECOPS ENSURES COMPLIANCE

In 2021, DevSecOps will become mainstream, especially in regard to stricter audit testing. With the rising importance of data security and increasing regulatory pressures from GDPR, CPA, SOX, etc., DevSecOps teams will look closely for abuse in custom programs surrounding authorization and segregation of duties (SoD) - areas that are vastly overlooked today. Missing authorization checks, for example, can easily create situations where users can view assets and processes that they shouldn’t be able to access, creating compliance concerns and the potential for substantial financial penalties. Just as the popular term “Shift Left” allowed for a more cost-effective solution to fix operational issues in development, DevSecOps “Shift Left” will allow for time and cost savings against costly security issues, compliance penalties and potential reputation concerns.
Shane MacDonald
VP of Global Sales Engineering, Onapsis

LOW-CODE/NO-CODE PLATFORMS FOR APPLICATION SECURITY

Throughout 2020, we’ve witnessed an emerging trend of organizations building applications rapidly using low-code/no-code platforms. Static application security testing (SAST) tools in particular work very well when there is code to scan. I anticipate that in the not-so-distant future, SAST tools will require alterations to the way in which they currently work to accommodate low-code/no-code platforms. I also anticipate changes in how we build software to take place in the foreseeable future. As application security testing tools move towards providing the same experience as low-code/no-code platforms, by providing a few inputs to the tool, they will be able to generate the integrations needed to run the tool on-prem or seamlessly in the cloud. In 2021, I predict that low-code/no-code platforms for application security will emerge and that through such platforms it will become more and more common to see organizations building security into DevOps effectively.
Meera Rao
Senior Director of Product Management, Synopsys

New threats target Infrastructure as Code

As DevOps moves more broadly to use Infrastructure as Code (IaC) to automate provisioning of cloud native platforms, it is only a matter of time before vulnerabilities in these processes are exploited. The use of many templates leaves an opening for attackers to embed deployment automation of their own components, which when executed may allow them to manipulate the cloud infrastructure of their attack targets.
Amir Jerbi
CTO, Aqua Security

API REMAINS TOP ATTACK VECTOR

Vulnerable APIs will be most responsible for software and application-related breaches: While awareness around API security has improved over the past few years, we can still predict that APIs will remain a top, if not the top, attack vector for adversaries in 2021. While APIs have become a convenient way for developers to build and run more complex web applications, issues like access control pose a challenge to developers as accounting for and eliminating these vulnerabilities is still a difficult task with few easy solutions. As malicious actors continue to ramp up their API-targeted attacks and organizations play catch-up in their understanding of how these programs can be exploited, adversaries will capitalize on this gap in the near-term forcing developers to quickly identify ways to better secure API authentication and authorization processes
Erez Yalon
Director of Security Research, Checkmarx

Share this

Industry News

October 02, 2023

Spectro Cloud announced Palette EdgeAI to simplify how organizations deploy and manage AI workloads at scale across simple to complex edge locations, such as retail, healthcare, industrial automation, oil and gas, automotive/connected cars, and more.

September 28, 2023

Kong announced Kong Konnect Dedicated Cloud Gateways, the simplest and most cost-effective way to run Kong Gateways in the cloud fully managed as a service and on enterprise dedicated infrastructure.

September 28, 2023

Sisense unveiled the public preview of Compose SDK for Fusion.

September 28, 2023

Cloudflare announced Hyperdrive to make every local database global. Now developers can easily build globally distributed applications on Cloudflare Workers, the serverless developer platform used by over one million developers, without being constrained by their existing infrastructure.

September 27, 2023

Kong announced full support for Kong Mesh in Konnect, making Kong Konnect an API lifecycle management platform with built-in support for Kong Gateway Enterprise, Kong Ingress Controller and Kong Mesh via a SaaS control plane.

September 27, 2023

Vultr announced the launch of the Vultr GPU Stack and Container Registry to enable global enterprises and digital startups alike to build, test and operationalize artificial intelligence (AI) models at scale — across any region on the globe. \

September 27, 2023

Salt Security expanded its partnership with CrowdStrike by integrating the Salt Security API Protection Platform with the CrowdStrike Falcon® Platform.

September 26, 2023

Progress announced a partnership with Software Improvement Group (SIG), an independent technology and advisory firm for software quality, security and improvement, to help ensure the long-term maintainability and modernization of business-critical applications built on the Progress® OpenEdge® platform.

September 26, 2023

Solace announced a new version of its Solace Event Portal solution that gives organizations with Apache Kafka deployments better visibility into, and control over, their Kafka event streams, brokers and associated assets.

September 26, 2023

Reply launched a proprietary framework for generative AI-based software development, KICODE Reply.

September 26, 2023

Harness announced the industry-wide Engineering Excellence Collective™, an engineering leadership community.

September 25, 2023

Harness announced four new product modules on the Harness platform.

September 25, 2023

Sylabs announced the release of SingularityCE 4.0.

September 25, 2023

Timescale announced the launch of Timescale Vector, enabling developers to build production AI applications at scale with PostgreSQL.