DEVOPSdigest

As part of the 2022 DevOps Predictions list, DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact the business in 2022.

BIG JUMP IN DEVSECOPS ADOPTION

The DevSecOps practice will continue to increase in 2022 as more and more organizations are understanding both the efficiencies and improved security of this strategy. DevSecOps is a proven strategy within the DevOps Platform that reduces risk and security incidents while allowing faster and more secure code deployments — and organizations know this to be true. In 2022, DevSecOps will be the preferred strategy across all industries to combat today's evolving threat landscape. Although we are seeing an increase in the implementation of certain security protocols, overall, the industry has been slow to respond. Much of this is due to the understanding, complexity, and difficulty in implementation of full DevSecOps within the tech stack. We will see a big jump in the adoption of DevSecOps in 2022 as more and more companies need to shore up their defenses against outside attacks.
Johnathan Hunt
VP of Securityt, GitLab

In 2022 we'll continue to see the push towards integration of DevSecOps with product and enterprise application development. This will be driven by developers who recognize critical security issues, and in order to address those issues they'll need to have the right tools. Regardless of an organization's DevSecOps posture, security tools will also be needed to flag vulnerabilities with prescriptive steps to solve them.
Asaf Karas
CTO Security, JFrog

SECURITY CONTINUES TO SHIFT LEFT

Security will continue to shift into being a standard facet of delivery as we move into 2022. This will enable rapid and contextual feedback to be instantly acted upon by our DevOps teams. Monitor at runtime and feedback or even pull request infrastructure-as-code changes back in the version control system. Enabling DevOps engineers to evolve to DevSecOps engineers is a journey and 2022 will continue to see this movement evolve.
Ryan Sheldrake
Field CTO, Lacework and DevOps Institute Ambassador

Most companies have IT security as a top concern as they now have a larger digital footprint and are holding more data than ever, and given the strong fines around GDPR they are forced to take keeping their customers' data safe seriously. These companies are under a tremendous amount of pressure and tend to lean on concepts they know and trust like InfoSec and CyberSecurity meaning the term DevSecOps hasn't really caught on (certainly not as much as DevOps) despite its principles being very relevant. Dev teams will use more and more security tools that can be embedded in the development process early, especially ones that meet the audit and controls requirements to meet certifications like ISO27001. Dev teams are busy so will pick tools that can be easily integrated by developers and have SaaS hosting options.
Craig Cook
Principal Engineer, Catapult CX

The pandemic pushed us further into the cloud, which has made us more reliant on microservices and containers. However, the rapid proliferation of microservices has outpaced the cyber security capabilities of most organizations. In an effort to improve cloud native cyber security practices, organizations will begin to embed security from the very beginning of the development process, ensuring microservices remain secure wherever they are deployed. As organizations become more agile, putting forth a DevSecOps approach from the start ensures microservices are adequately secured.
Tobi Knaup
Co-Founder and CEO, D2iQ

CONVERGENCE OF DEVSECOPS AND SECOPS

We've seen a rapid increase in adoption as companies focus more on shifting security left (having largely solved the automated testing problem). The future direction for DevSecOps will tie the build-phase scanning that we see in DevOps today with Security Operations work that happens in the operational phase. DevSecOps and SecOps will become one larger discipline.
Anand Ahire
Senior Director, Product Management, DevOps, ServiceNow

SHIFT LEFT GOES TOO FAR

Shift-left practices will continue to grow, however this will come as a detriment to organizations that must secure their APIs if architectural mindsets do not change. The shift-left mindset was born out of a desire to ensure that stronger security practices like thorough security testing are implemented earlier on in an application's lifecycle. However, it has become much too tempting to over rotate, leaving security gaps as a result. While shift-left approaches aim to identify code quality and security issues prior to production delivery, API security needs additional consideration. For example, securing APIs in production requires protections beyond application or API code, which is often beyond the scope of development teams. Many API flaws and abusable business logic only manifest in runtime, and these issues can't be tested for effectively prior to delivery on infrastructure. Effective API security requires tooling for continuous testing and remediation. Any tooling also needs to be easily and automatically integrated into security and nonsecurity workflows, of which CI/CD build pipeline integrations are just one aspect. In 2022, more organizations will realize that the only way to truly secure APIs from increasingly complex and advanced cyber attacks is to embrace holistic processes and a full life cycle focus. This mindset requires a shift away from the desire to test all code with scanning tools that already struggle to provide adequate code coverage and leave business logic unaddressed. The mindset shift requires that practitioners account for an organization's unique business logic in application source code as well as misconfigurations or mis-implementations of infrastructure that lead to API vulnerabilities and API abuse.
Michael Isbitski
Technical Evangelist, Salt Security

DEVSECOPS GOES AWAY

As security concerns such as encryption and complying with data transfer and storage regulations continue to "shift left," they become developer and operator concerns. As a result, the specific practice of operationalizing security will become irrelevant. In 2022, DevSecOps will go away.
Tobias Kunze
CEO and Co-Founder, Glasnostic

VALSECOPS

By 2022, 90% of software development projects will claim to follow DevSecOps practices. Mainstream adoption of DevSecOps has set the stage for a more proactive method for assuring the effectiveness of an organization's security strategy against sophisticated cyberattacks, but now it's time to move to the next stage: SecValOps. Security teams will look beyond implementing security practices within every IT operation to testing and validating its efficacy. Think of SecValOps as a continuous stress test intended to help businesses increase their security readiness. Secure left and validate right.
Maor Franco
Senior Director of Product Strategy, Pentera

Go to: 2022 DevSecOps Predictions - Part 2