2022 DevSecOps Predictions - Part 1
January 19, 2022

As part of the 2022 DevOps Predictions list, DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact the business in 2022.

BIG JUMP IN DEVSECOPS ADOPTION

The DevSecOps practice will continue to increase in 2022 as more and more organizations are understanding both the efficiencies and improved security of this strategy. DevSecOps is a proven strategy within the DevOps Platform that reduces risk and security incidents while allowing faster and more secure code deployments — and organizations know this to be true. In 2022, DevSecOps will be the preferred strategy across all industries to combat today's evolving threat landscape. Although we are seeing an increase in the implementation of certain security protocols, overall, the industry has been slow to respond. Much of this is due to the understanding, complexity, and difficulty in implementation of full DevSecOps within the tech stack. We will see a big jump in the adoption of DevSecOps in 2022 as more and more companies need to shore up their defenses against outside attacks.
Johnathan Hunt
VP of Securityt, GitLab

In 2022 we'll continue to see the push towards integration of DevSecOps with product and enterprise application development. This will be driven by developers who recognize critical security issues, and in order to address those issues they'll need to have the right tools. Regardless of an organization's DevSecOps posture, security tools will also be needed to flag vulnerabilities with prescriptive steps to solve them.
Asaf Karas
CTO Security, JFrog

SECURITY CONTINUES TO SHIFT LEFT

Security will continue to shift into being a standard facet of delivery as we move into 2022. This will enable rapid and contextual feedback to be instantly acted upon by our DevOps teams. Monitor at runtime and feedback or even pull request infrastructure-as-code changes back in the version control system. Enabling DevOps engineers to evolve to DevSecOps engineers is a journey and 2022 will continue to see this movement evolve.
Ryan Sheldrake
Field CTO, Lacework and DevOps Institute Ambassador

Most companies have IT security as a top concern as they now have a larger digital footprint and are holding more data than ever, and given the strong fines around GDPR they are forced to take keeping their customers' data safe seriously. These companies are under a tremendous amount of pressure and tend to lean on concepts they know and trust like InfoSec and CyberSecurity meaning the term DevSecOps hasn't really caught on (certainly not as much as DevOps) despite its principles being very relevant. Dev teams will use more and more security tools that can be embedded in the development process early, especially ones that meet the audit and controls requirements to meet certifications like ISO27001. Dev teams are busy so will pick tools that can be easily integrated by developers and have SaaS hosting options.
Craig Cook
Principal Engineer, Catapult CX

The pandemic pushed us further into the cloud, which has made us more reliant on microservices and containers. However, the rapid proliferation of microservices has outpaced the cyber security capabilities of most organizations. In an effort to improve cloud native cyber security practices, organizations will begin to embed security from the very beginning of the development process, ensuring microservices remain secure wherever they are deployed. As organizations become more agile, putting forth a DevSecOps approach from the start ensures microservices are adequately secured.
Tobi Knaup
Co-Founder and CEO, D2iQ

CONVERGENCE OF DEVSECOPS AND SECOPS

We've seen a rapid increase in adoption as companies focus more on shifting security left (having largely solved the automated testing problem). The future direction for DevSecOps will tie the build-phase scanning that we see in DevOps today with Security Operations work that happens in the operational phase. DevSecOps and SecOps will become one larger discipline.
Anand Ahire
Senior Director, Product Management, DevOps, ServiceNow

SHIFT LEFT GOES TOO FAR

Shift-left practices will continue to grow, however this will come as a detriment to organizations that must secure their APIs if architectural mindsets do not change. The shift-left mindset was born out of a desire to ensure that stronger security practices like thorough security testing are implemented earlier on in an application's lifecycle. However, it has become much too tempting to over rotate, leaving security gaps as a result. While shift-left approaches aim to identify code quality and security issues prior to production delivery, API security needs additional consideration. For example, securing APIs in production requires protections beyond application or API code, which is often beyond the scope of development teams. Many API flaws and abusable business logic only manifest in runtime, and these issues can't be tested for effectively prior to delivery on infrastructure. Effective API security requires tooling for continuous testing and remediation. Any tooling also needs to be easily and automatically integrated into security and nonsecurity workflows, of which CI/CD build pipeline integrations are just one aspect. In 2022, more organizations will realize that the only way to truly secure APIs from increasingly complex and advanced cyber attacks is to embrace holistic processes and a full life cycle focus. This mindset requires a shift away from the desire to test all code with scanning tools that already struggle to provide adequate code coverage and leave business logic unaddressed. The mindset shift requires that practitioners account for an organization's unique business logic in application source code as well as misconfigurations or mis-implementations of infrastructure that lead to API vulnerabilities and API abuse.
Michael Isbitski
Technical Evangelist, Salt Security

DEVSECOPS GOES AWAY

As security concerns such as encryption and complying with data transfer and storage regulations continue to "shift left," they become developer and operator concerns. As a result, the specific practice of operationalizing security will become irrelevant. In 2022, DevSecOps will go away.
Tobias Kunze
CEO and Co-Founder, Glasnostic

VALSECOPS

By 2022, 90% of software development projects will claim to follow DevSecOps practices. Mainstream adoption of DevSecOps has set the stage for a more proactive method for assuring the effectiveness of an organization's security strategy against sophisticated cyberattacks, but now it's time to move to the next stage: SecValOps. Security teams will look beyond implementing security practices within every IT operation to testing and validating its efficacy. Think of SecValOps as a continuous stress test intended to help businesses increase their security readiness. Secure left and validate right.
Maor Franco
Senior Director of Product Strategy, Pentera

Go to: 2022 DevSecOps Predictions - Part 2

Share this

Industry News

October 06, 2022

Platform.sh announced it has partnered with MongoDB.

October 06, 2022

Veracode announced the enhancement of its Continuous Software Security Platform to include container security.

This early access program for Veracode Container Security is now underway for existing customers.

The new Veracode Container Security offering, designed to meet the needs of cloud-native software engineering teams, addresses vulnerability scanning, secure configuration, and secrets management requirements for container images.

October 06, 2022

Mirantis announced that Mirantis Container Runtime – latest generation of the Docker Enterprise Engine, the secure container runtime that forms the foundation of Mirantis Container Cloud and Mirantis Kubernetes Engine and is used at the heart of many other Kubernetes deployments – is now available in the Microsoft Azure Marketplace.

October 05, 2022

Perforce Software announced enhanced support for automated testing with the release of Helix ALM 2022.2.

October 05, 2022

Parasoft announced the latest releases of its API and microservices testing tools, including SOAtest, Virtualize, CTP, and Selenic.

October 05, 2022

Vaadin announced the release of four Acceleration Kits designed to make it faster and easier to build and modernize Java applications for enterprise use.

October 04, 2022

Pegasystems announced the latest release of Robot Studio, the robotic process automation (RPA) low-code authoring environment for Pega's intelligent automation platform.

October 04, 2022

EvolveWare announced the Agile Business Rules Extraction (Agile BRE) solution on its Intellisys platform.

October 04, 2022

Mabl announced new features that empower quality professionals to easily validate APIs as part of their integrated end-to-end tests.

October 03, 2022

Spectro Cloud announced a major new release of its Palette Edge platform.

October 03, 2022

Arcion announced agentless change data capture (CDC) for all of its supported databases and applications.

September 29, 2022

CloudBees announced the acquisition of ReleaseIQ to expand the company’s DevSecOps capabilities, empowering customers with a low-code, end-to-end release orchestration and visibility solution.

September 29, 2022

SmartBear continues expanding its commitment to the Atlassian Marketplace, adding Bugsnag for Jira and SwaggerHub Integration for Confluence.

Bugsnag developers monitoring application stability and documenting in Jira no longer need to interrupt their workflow to access the app. Developers working in SwaggerHub can use the macro to push API definitions and changes directly to other teams and business stakeholders that work within Confluence. By increasing the presence of SmartBear tools on the Atlassian Marketplace, the company continues meeting developers where they are.

September 29, 2022

Ox Security exited stealth today with $34M in funding led by Evolution Equity Partners, Team8, and M12, Microsoft's venture fund, with participation from Rain Capital.

September 29, 2022

cnvrg.io announced that the new Intel Developer Cloud is now available via the cnvrg.io Metacloud platform, providing a fully integrated software and hardware solution.