Progress announced the early-access release of Progress® MarkLogic® Server 12.
DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact the business in 2023.
SECURITY-FIRST MINDSET
As developers continue to rely on open source code to build applications, hefty security concerns around vulnerabilities and secret leakage loom over organizations. In 2023, we see a mindset shift and full commitment from DevSecOps to shore up these SDLC security gaps and ensure zero trust. Many will migrate to CNAPP platforms incorporating security of the code itself - from development to production on through to runtime. By ‘shifting left’ even further and offering pipeline security and code functionality into one unified platform, teams can adopt a prevention-first mindset that addresses security issues before they become real problems.
Dotan Nahum
Head of Developer Security, Check Point Software Technologies
SECURITY - TOP PRIORITY FOR CIO
Security will be a top priority for CIOs heading into 2023. It hasn't been in the news this year quite as much as it was last year, but it remains the biggest problem that CIOs are facing. While awareness of the problem has certainly increased, I don't think most companies have made real progress in addressing the issues. Ransomware is still a big problem — still a growing problem, in fact, even though we haven't seen as many high-profile attacks as we did in 2021. Or maybe they're just old news. Ransomware operators have added extortion to their bag of tricks. In addition to encrypting data, they will sell it or just release it if the victim doesn't pay. Software supply chain attacks are another huge issue. They don't get quite as much coverage because few people really understand how many pieces of software, and how many different sources, are combined to make any product. Of course, there are many other kinds of attacks. These are the two that CIOs really need to focus on.
Mike Loukides
VP of Emerging Tech Content, O'Reilly Media
DEVSECOPS REPLACES DEVOPS
DevSecOps will evolve slowly to replace DevOps in 2023. DevSecOps is an evolution of DevOps that emerged from the need for security considerations to be addressed earlier in the development cycle rather than being bolted on as an afterthought. Far from being yet another add-on to DevOps, DevSecOps is an entire culture and tooling change that puts the responsibility for security at the build stage before shipping features to customers. This paradigm shift is necessary because of the significant increase in cyber attacks on applications. As more organizations embrace serverless, microservice architectures, Docker, Kubernetes, and similar modern-day cloud technologies, security will take center stage eventually becoming a part of DevOps by default.
Brian Galura
CEO, Convox
DEVSECOPS GETS HUGE BOOST
DevSecOps will get a huge boost as more and more organizations with matured/maturing DevOps practices will opt to enhance and integrate security into their DevOps pipelines. Security should be baked-in instead of bolted-on, so a DevSecOps mindset that advocates moving security left and considering security in every stage of DevOps will be the talk of the town and will get huge attention next year. With a lot of upcoming interest and opportunities in the DevSecOps space, we could also expect security vendors to provide umbrella security solutions to secure all stages of DevOps, instead of focusing on individual stages.
Ayush Kaushik
Manager, Product Security, Avalara
Going into 2023, we expect Developers will finally grow tired of being the last to know when it comes to application security and revolt against ticketing interface-type tools. Developer teams will have more budget and influence over security testing tools and AppSec providers will invest more in the developer experience. The combination will help drive the widespread adoption of a DevSecOps philosophy.
Scott Gerlach
CSO and Co-Founder, StackHawk
DEVOPS MUST OWN SECURITY AND COMPLIANCE
DevOps will need to own security and compliance on some level in 2023 because security control operations will become a more rigorous and critical aspect of their contributions. Security operations owned by DevOps teams must be discretely defined to allow for valid testing of the security controls. Automated testing of deployment processes, data privacy and business continuity will become critical responsibilities of this role. DevOps teammates will need to be conversant in certifications like SOC 2, ISO 27001 and HIPAA to understand their responsibilities and respond to related organizational compliance goals.
Justin Beals
CEO and Co-Founder, Strike Graph
PLATFORM TEAMS DRIVE DEVSECOPS
As we enter the New Year, organizations will be looking to balance accelerating modernization efforts while optimizing costs, managing risk and driving revenue. In 2023, I predict we’ll see more organizations implementing platform teams to standardize tools, platforms, to streamline and strengthen software delivery and operations of modern applications. Platform teams are integral to a DevSecOps practice by not only building and running the platform developers use to create new applications that drive business revenue while "shifting left" management and security, and partnering with Cloud Operations team to automate and optimize use of cloud resources. By having teams devoted to running platform as a product, organizations will improve the developer productivity, deliver secure applications continuously and operate applications at scale across clouds.
Ajay Patel
SVP and GM, Modern Applications & Management Business,VMware
SECURITY IS ORGANIZATION-WIDE RESPONSIBILITY
As remote development becomes more and more commonplace, software supply chain security will play a more expansive role across the SDLC. Security responsibilities will span from the IDE and extend to applications running in production, continuing the ongoing trend toward security as an organization-wide responsibility.
David DeSanto
VP of Product, GitLab
Amid rising cyber threats and endemic vulnerabilities such as Log4Shell, security and cyber resilience needs to be viewed as a shared responsibility that falls on everyone involved in innovation. Organizations who take out cyber-insurance policies will need to demonstrate that all team members, including development and operations, are accountable for delivering secure innovation. Organizations will need to be focused on finding solutions that enable them to build a holistic DevSecOps approach, which will require greater investment into observability platforms that support cross-departmental processes to ensure all teams have the information necessary to minimize risk.
Amit Shah
Director of Product Marketing, Dynatrace
Everyone needs to take part in DevSecOps — Up until now, DevSecOps was mostly a discipline for devs, devops, and security teams. But as the tech-stack continues to grow larger and more complex, everyone from product and sales to marketing and support need to be actively involved, as everyone is becoming (low-code) developers. This would be most apparent in areas like IAM (defining identities, passwordless experience management ,and managing application permissions and access-control); CI/CD (feature gating, adjusting, and toggling); and data-enrichment (PII redaction and privacy). These key features dramatically impact customer experiences and business interactions.
Or Weis
CEO & Co-Founder, Permit.io
SECURITY SHIFTS LEFT
Most of our users in the test space are being asked to do security testing as part of a shift-left motion. I believe 2023 will see more widespread security testing happening in parallel with application development, rather than at the end, right before release. The ability to add in OWASP Top 10 scanning alongside existing tests will be a differentiator.
Marcus Merrell
VP of Technology Strategy, Sauce Labs
Now, the reality is a matter of when, not if, your organization will be the target of an attack. To combat this rising security concern, organizations will need to integrate security within the development process from the very beginning. Integrating security and compliance testing at the upfront will greatly reduce risk and prevent disruptions.
Kevin Thompson
CEO and Executive Chairman, Tricentis
COOPERATION BETWEEN TRADITIONAL SECURITY AND SHIFT-LEFT
Lately the market has been focused on the shift left and a lot of resources were invested to educate and build proper security tools to address these issues in cloud native pipelines (SCM security, CI/CD etc). Attackers see that there’s a gap between the shift left stakeholders (developers and devops) and the more traditional security practitioners (CISO office etc). We predict that the cooperation between the more traditional security groups in the organization and the shift left stakeholders will increase in the coming year.
Assaf Morag
Lead Data Analyst, Aqua Security
GOING BEYOND SHIFT-LEFT
Our mobile devices are frequently at arm's reach and store personal, sensitive data, so it should be no surprise that this is a primary target of malicious attacks. After another trying year of data breaches and cyber threats, organizations and their development teams must better prioritize cyber resilience and risk-reducing strategies in 2023 for the sake of their customers. To achieve this, teams can introduce a shift left approach to security to implement codes and policies earlier in the development process that identify mobile security gaps and potential weaknesses. However, the most successful teams will integrate these security testing parameters and checkpoints throughout the entire development lifecycle in a continuous and agile manner — taking this a step beyond only "shifting left." Expect to see more development teams bring security analysis into the CI/CD pipeline, including static code and dynamic analysis activities and validating with functional testing and mocking services in the new year.
Eran Kinsbruner
Chief Evangelist, Perforce Software
Industry News
Red Hat announced the general availability of Red Hat Enterprise Linux (RHEL) AI across the hybrid cloud.
Jitterbit announced its unified AI-infused, low-code Harmony platform.
Akuity announced the launch of KubeVision, a feature within the Akuity Platform.
Couchbase announced Capella Free Tier, a free developer environment designed to empower developers to evaluate and explore products and test new features without time constraints.
Amazon Web Services, Inc. (AWS), an Amazon.com, Inc. company, announced the general availability of AWS Parallel Computing Service, a new managed service that helps customers easily set up and manage high performance computing (HPC) clusters so they can run scientific and engineering workloads at virtually any scale on AWS.
Dell Technologies and Red Hat are bringing Red Hat Enterprise Linux AI (RHEL AI), a foundation model platform built on an AI-optimized operating system that enables users to more seamlessly develop, test and deploy artificial intelligence (AI) and generative AI (gen AI) models, to Dell PowerEdge servers.
Couchbase announced that Couchbase Mobile is generally available with vector search, which makes it possible for customers to offer similarity and hybrid search in their applications on mobile and at the edge.
Seekr announced the launch of SeekrFlow as a complete end-to-end AI platform for training, validating, deploying, and scaling trusted enterprise AI applications through an intuitive and simple to use web user interface (UI).
Check Point® Software Technologies Ltd. unveiled its innovative Portal designed for both managed security service providers (MSSPs) and distributors.
Couchbase officially launched Capella™ Columnar on AWS, which helps organizations streamline the development of adaptive applications by enabling real-time data analysis alongside operational workloads within a single database platform.
Mend.io unveiled the Mend AppSec Platform, a solution designed to help businesses transform application security programs into proactive programs that reduce application risk.
Elastic announced that it is adding the GNU Affero General Public License v3 (AGPL) as an option for users to license the free part of the Elasticsearch and Kibana source code that is available under Server Side Public License 1.0 (SSPL 1.0) and Elastic License 2.0 (ELv2).
Progress announced the latest release of Progress® Semaphore™, its metadata management and semantic AI platform.
Elastic, the Search AI Company, announced the Elasticsearch Open Inference API now integrates with Anthropic, providing developers with seamless access to Anthropic’s Claude, including Claude 3.5 Sonnet, Claude 3 Haiku and Claude 3 Opus, directly from their Anthropic account.