2023 DevSecOps Predictions - Part 2
January 19, 2023

DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact the business in 2023.

Start with: 2023 DevSecOps Predictions - Part 1

SOFTWARE SUPPLY CHAIN SECURITY

In the wake of multiple high profile software breaches and attacks, a strong focus in the industry has been directed to software supply chain security along with a realization that the way we have historically consumed, evaluated, built, secured and trusted software components is inherently risky. In response, application security leaders are demanding zero-vulnerability software and higher scrutiny by software producers. Vulnerabilities in software are growing in number and severity, and development organizations are unable to keep up. Securing apps and eliminating vulnerabilities is difficult expert work — the majority of engineers don't hhave the skills needed to perform this level of security. In the year ahead, we're going to see significant investments in software supply chain security platforms, tools and workflows that enable developers and dev(sec)ops to automatically deliver secure applications to production, rather than dumping yet another "unfunded/shift-left mandate" on their heads.
John Amaral
Co-Founder and CEO, Slim.AI

As threats to the software supply chain escalate, and with government regulations in the form of executive orders (EO 14028) mandating proper action to be taken, CISOs are compelled to develop and deploy better strategies to secure this area of significant weakness. After years of discussions about DevSecOps, 2023 will bring wide adoption as securing software rises to the top of the CISO priority list. Along with this will come adoption of new technologies that enable DevSecOps and help companies contend with the onslaught of threats to the software supply chain. CISOs will prioritize spend on solutions for software composition analysis, SBOMs, and securing the toolchain, and they will look for better ways to measure the health of open source components.
Eilon Elhadad
Senior Director Supply Chain, Aqua Security

Software Supply Chain Attacks Will Make 2023 the Year of the SBOM — An SBOM is a list of every software component that comprises an application and includes every library in the application’s code, as well as services, dependencies, compositions and extensions. Because of the information and visibility, it provides into software supply chains, we predict the SBOM will be widely adopted in 2023. While most of the requirements are taking place at the federal level now, expect the SBOM to spread to commercial markets soon.
Avesta Hojjati
Head of Research, DigiCert

The focus on Software Supply Chain Security to prevent the introduction of threats into software and the expedient identification and remediation when those threats are found will extend to include provenance and security of models as well. This will be further extended to focus on transparency in models decisions, auditability of model changes and impacts of those changes, and production performance of models.
Steven Huels
Senior Director of Global Software Engineering, Red Hat

SAAS CYBERSECURITY CHALLENGE

Since the pandemic changed business in many ways, we've seen rapid adoption of cloud-based DevOps. As more organizations put software at the forefront of their offering, they also realize that speed to market is significantly faster in SaaS-based applications. In 2023, we should expect to see a lot more SaaS-based market activity, especially in enterprise software development. However, a potential challenge with the move towards SaaS is cybersecurity. Companies are quick to adopt SaaS but they don't necessarily understand how cloud security works as compared to the data center security they are used to. Cybersecurity tools and products are going to surge in the next two to three years as SaaS becomes more mainstay.
Vishnu Vasudevan
Head of Product Engineering and Management, Opsera

API CYBERSECURITY CHALLENGE

APIs will continue to be a security challenge in 2023 while adoption flourishes worldwide across many vertical sectors, including open banking and fintech. APIs are the backbone of modern applications and a must-have for supply chain integrations and digital transformation initiatives. Yet, there remains a pervasive over-confidence when it comes to API security protection. The threat of undocumented APIs is real and underestimated. As a result, API attacks will continue to fly under the radar. We will see that open-source security libraries and vulnerabilities create security issues, and sophisticated bot attacks will remain a threat to API protection.
Prakash Sinha
Senior Director & Technology Evangelist, Application Security & Delivery, Radware

As a result of the continued upsurge of API development and integrations, DevOps and security teams must continue to work more closely together to ensure APIs are protected throughout all stages of their lifecycle. The headlines about API security incidents continue to hit — the latest being Optus setting aside $140M to cover costs related to its API breach. Look for organizations to start adopting more stringent API governance strategies so they can standardize how APIs are built, documented, deployed and maintained across cross-functional teams. Security teams will be looking to provide protection at runtime and also feed learnings from attackers' reconnaissance activities back to development teams so they can strengthen future APIs. In 2023, organizations will complement the urgent priority of runtime protection with additional shift-left practices so they can maximize API protection.
Nick Rago
Field CTO, Salt Security

LOW-CODE CYBERSECURITY CHALLENGE

In 2023, we will see low code platforms become the next target of software supply chain attacks. Developers will have to navigate ecosystems comprised of powerful and attractive extension modules riddled with backdoors, info stealers and other malicious injected code. As low code platforms gain momentum and their ecosystems grow through community generated modules and plug-ins, it will only be a matter of time before these platforms will be the target of bad actors and unsuspecting users will be faced with malicious code in their applications. To make things worse, low code will democratize application development, opening the art and science of coding to untrained and unsuspecting users who can be easily tricked into clicking typosquatted and crafted links. Even professional developers — who are fully aware of the risks, trained in secure development, and knowledgeable about their ecosystems — have fallen victim to this more than once. Moving forward, casual, untrained users must learn to navigate the large ecosystems of enticing plugins and modules while steering clear of the dangers of software supply chain attacks.
Pascal Geenens
Director, Threat Intelligence, Radware

AUTOMATION ACCELERATES DEVSECOPS

As organizations look ahead to 2023, automation will be a priority in maximizing shifting left principles and maintaining high security standards. Building strong, secure products throughout the software development life cycle requires continuous security integration in the delivery pipeline. Silos between developer, business development and testing teams have historically created gaps in the feedback loops leading to a slower product rollout. However, with the increased adoption of DevSecOps principles for continuous testing and deployment, teams across all business units will begin to codify their shift left practices with automation and increase communication in an effort to reduce failure. We can expect to see how such automation will further accelerate the adoption of DevSecOps. Compliance automation tools will play a key role in strengthening security and compliance policies across applications and infrastructure.
Prashanth Nanjundappa
VP, Product Development, Progress

PROACTIVE AUTOMATION

Security Automation’s Proactive Footprint Continues Expanding: Rather than focusing on retroactively building workflows and processes based on historic attacks, security automation deployments will shift to a proactive approach to help prevent attacks before they happen. Part of this involves security teams harnessing early threat intelligence signals and building defenses against them into their workflows and processes. The result will be a comprehensive new offensive-capacity framework that combines the entirety of the security stack into the most powerful protection approach to date.
Leonid Belkind
Co-Founder and CTO, Torq

AI-ASSISTED WORKFLOWS

AI-assisted workflows will gain popularity in application development. GitLab's 2022 DevSecOps survey found that 31% of respondents now use AI/ML as part of code review, and nearly half said they have full test automation. We'll continue to see this trend upward, as AI/ML will further enable rapid development, security remediation, improved test automation, and better observability.
David DeSanto
VP of Product, GitLab

DYNAMIC WHITE-BOX TESTING

Today, most DevSecOps toolchains use dependency checkers to secure their open-source supply chains, preventing incidents such as Log4Shell, and static code analysis to detect bad practices in their code. On the other hand, dynamic analysis, mostly blackbox, has been the technique used by pentesters and attackers, raising most security issues outside DevSecOps. With the latest advances in leveraging source code, such as coverage-based fuzzing, dynamic testing is finally maturing enough to be used in CI/CD pipelines. New capabilities for deterministic regression testing, deduplication of findings, and showing the causing source code locations make developers the primary user group rather than pentesters.  A nice side benefit is always being ahead of the attacker due to source code possession. I predict that in 2023, dynamic white-box testing will see increased adoption in DevSecOps, at scale.
Sergej Dechand
CEO and Co-Founder, Code Intelligence

LESS IS MORE

In 2023 I believe we'll see rebellion against systems that aren't respectful with our time. Systems that generate ample noise and minimal signal. When it comes to the demands on our attention in 2023 and beyond, less is more. Security technology is one area that has been requiring too much of our attention and energy for too long. It's frustrating because there's so much friction where it isn't necessary. There's a better way but consumers of security technology will have to demand it and developers and engineers have to work on it. One small example: authentication. As we move into 2023 we'll look to WebAuthN, Passkeys, and other passwordless systems to improve the user experience and reduce the burden on IT teams. That's where we'll really start to feel the difference. And with this feeling will come elevated expectations that then get transferred to every other aspect of our IT systems and security environments. Hopefully, it will push us to ask why it can't be simplified?
Justin McCarthy
CTO and Co-Founder, StrongDM

EDUCATION IS KEY

In 2023 and beyond, we'll see increased market education on cloud native. Staffing and lack of knowledge are two of the biggest challenges for cloud-native security. Most DevOps teams are not familiar with security methods, and it isn't their main responsibility. On the other hand, security teams are not familiar with cloud services, Kubernetes, containers and their respective security risks and countermeasures. Educating the market and moving toward a DevSecOps transformation will be critical and widespread in the coming years.
Prashanth Nanjundappa
VP, Product Development, Progress

Share this

Industry News

February 02, 2023

Red Hat announced a multi-stage alliance to offer customers a greater choice of operating systems to run on Oracle Cloud Infrastructure (OCI).

February 02, 2023

Snow Software announced a new global partner program designed to enable partners to support customers as they face complex market challenges around managing cost and mitigating risk, while delivering value more efficiently and effectively with Snow.

February 02, 2023

Contrast Security announced the launch of its new partner program, the Security Innovation Alliance (SIA), which is a global ecosystem of system integrators (SIs), cloud, channel and technology alliances.

February 01, 2023

Red Hat introduced new security and compliance capabilities for the Red Hat OpenShift enterprise Kubernetes platform.

February 01, 2023

Jetpack.io formally launched with Devbox Cloud, a managed service offering for Devbox.

February 01, 2023

Jellyfish launched Life Cycle Explorer, a new solution that identifies bottlenecks in the life cycle of engineering work to help teams adapt workflow processes and more effectively deliver value to customers.

January 31, 2023

Ably announced the Ably Terraform provider.

January 31, 2023

Checkmarx announced the immediate availability of Supply Chain Threat Intelligence, which delivers detailed threat intelligence on hundreds of thousands of malicious packages, contributor reputation, malicious behavior and more.

January 31, 2023

Qualys announced its new GovCloud platform along with the achievement of FedRAMP Ready status at the High impact level, from the Federal Risk and Authorization Management Program (FedRAMP).

January 30, 2023

F5 announced the general availability of F5 NGINXaaS for Azure, an integrated solution co-developed by F5 and Microsoft that empowers enterprises to deliver secure, high-performance applications in the cloud.

January 30, 2023

Tenable announced Tenable Ventures, a corporate investment program.

January 26, 2023

Ubuntu Pro, Canonical’s comprehensive subscription for secure open source and compliance, is now generally available.

January 26, 2023

Mirantis, freeing developers to create their most valuable code, today announced that it has acquired the Santa Clara, California-based Shipa to add automated application discovery, operations, security, and observability to the Lens Kubernetes Platform.

January 25, 2023

SmartBear has integrated the powerful contract testing capabilities of PactFlow with SwaggerHub.

January 25, 2023

Venafi introduced TLS Protect for Kubernetes.