2023 DevSecOps Predictions - Part 2
January 19, 2023

DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact the business in 2023.

Start with: 2023 DevSecOps Predictions - Part 1

SOFTWARE SUPPLY CHAIN SECURITY

In the wake of multiple high profile software breaches and attacks, a strong focus in the industry has been directed to software supply chain security along with a realization that the way we have historically consumed, evaluated, built, secured and trusted software components is inherently risky. In response, application security leaders are demanding zero-vulnerability software and higher scrutiny by software producers. Vulnerabilities in software are growing in number and severity, and development organizations are unable to keep up. Securing apps and eliminating vulnerabilities is difficult expert work — the majority of engineers don't hhave the skills needed to perform this level of security. In the year ahead, we're going to see significant investments in software supply chain security platforms, tools and workflows that enable developers and dev(sec)ops to automatically deliver secure applications to production, rather than dumping yet another "unfunded/shift-left mandate" on their heads.
John Amaral
Co-Founder and CEO, Slim.AI

As threats to the software supply chain escalate, and with government regulations in the form of executive orders (EO 14028) mandating proper action to be taken, CISOs are compelled to develop and deploy better strategies to secure this area of significant weakness. After years of discussions about DevSecOps, 2023 will bring wide adoption as securing software rises to the top of the CISO priority list. Along with this will come adoption of new technologies that enable DevSecOps and help companies contend with the onslaught of threats to the software supply chain. CISOs will prioritize spend on solutions for software composition analysis, SBOMs, and securing the toolchain, and they will look for better ways to measure the health of open source components.
Eilon Elhadad
Senior Director Supply Chain, Aqua Security

Software Supply Chain Attacks Will Make 2023 the Year of the SBOM — An SBOM is a list of every software component that comprises an application and includes every library in the application’s code, as well as services, dependencies, compositions and extensions. Because of the information and visibility, it provides into software supply chains, we predict the SBOM will be widely adopted in 2023. While most of the requirements are taking place at the federal level now, expect the SBOM to spread to commercial markets soon.
Avesta Hojjati
Head of Research, DigiCert

The focus on Software Supply Chain Security to prevent the introduction of threats into software and the expedient identification and remediation when those threats are found will extend to include provenance and security of models as well. This will be further extended to focus on transparency in models decisions, auditability of model changes and impacts of those changes, and production performance of models.
Steven Huels
Senior Director of Global Software Engineering, Red Hat

SAAS CYBERSECURITY CHALLENGE

Since the pandemic changed business in many ways, we've seen rapid adoption of cloud-based DevOps. As more organizations put software at the forefront of their offering, they also realize that speed to market is significantly faster in SaaS-based applications. In 2023, we should expect to see a lot more SaaS-based market activity, especially in enterprise software development. However, a potential challenge with the move towards SaaS is cybersecurity. Companies are quick to adopt SaaS but they don't necessarily understand how cloud security works as compared to the data center security they are used to. Cybersecurity tools and products are going to surge in the next two to three years as SaaS becomes more mainstay.
Vishnu Vasudevan
Head of Product Engineering and Management, Opsera

API CYBERSECURITY CHALLENGE

APIs will continue to be a security challenge in 2023 while adoption flourishes worldwide across many vertical sectors, including open banking and fintech. APIs are the backbone of modern applications and a must-have for supply chain integrations and digital transformation initiatives. Yet, there remains a pervasive over-confidence when it comes to API security protection. The threat of undocumented APIs is real and underestimated. As a result, API attacks will continue to fly under the radar. We will see that open-source security libraries and vulnerabilities create security issues, and sophisticated bot attacks will remain a threat to API protection.
Prakash Sinha
Senior Director & Technology Evangelist, Application Security & Delivery, Radware

As a result of the continued upsurge of API development and integrations, DevOps and security teams must continue to work more closely together to ensure APIs are protected throughout all stages of their lifecycle. The headlines about API security incidents continue to hit — the latest being Optus setting aside $140M to cover costs related to its API breach. Look for organizations to start adopting more stringent API governance strategies so they can standardize how APIs are built, documented, deployed and maintained across cross-functional teams. Security teams will be looking to provide protection at runtime and also feed learnings from attackers' reconnaissance activities back to development teams so they can strengthen future APIs. In 2023, organizations will complement the urgent priority of runtime protection with additional shift-left practices so they can maximize API protection.
Nick Rago
Field CTO, Salt Security

LOW-CODE CYBERSECURITY CHALLENGE

In 2023, we will see low code platforms become the next target of software supply chain attacks. Developers will have to navigate ecosystems comprised of powerful and attractive extension modules riddled with backdoors, info stealers and other malicious injected code. As low code platforms gain momentum and their ecosystems grow through community generated modules and plug-ins, it will only be a matter of time before these platforms will be the target of bad actors and unsuspecting users will be faced with malicious code in their applications. To make things worse, low code will democratize application development, opening the art and science of coding to untrained and unsuspecting users who can be easily tricked into clicking typosquatted and crafted links. Even professional developers — who are fully aware of the risks, trained in secure development, and knowledgeable about their ecosystems — have fallen victim to this more than once. Moving forward, casual, untrained users must learn to navigate the large ecosystems of enticing plugins and modules while steering clear of the dangers of software supply chain attacks.
Pascal Geenens
Director, Threat Intelligence, Radware

AUTOMATION ACCELERATES DEVSECOPS

As organizations look ahead to 2023, automation will be a priority in maximizing shifting left principles and maintaining high security standards. Building strong, secure products throughout the software development life cycle requires continuous security integration in the delivery pipeline. Silos between developer, business development and testing teams have historically created gaps in the feedback loops leading to a slower product rollout. However, with the increased adoption of DevSecOps principles for continuous testing and deployment, teams across all business units will begin to codify their shift left practices with automation and increase communication in an effort to reduce failure. We can expect to see how such automation will further accelerate the adoption of DevSecOps. Compliance automation tools will play a key role in strengthening security and compliance policies across applications and infrastructure.
Prashanth Nanjundappa
VP, Product Development, Progress

PROACTIVE AUTOMATION

Security Automation’s Proactive Footprint Continues Expanding: Rather than focusing on retroactively building workflows and processes based on historic attacks, security automation deployments will shift to a proactive approach to help prevent attacks before they happen. Part of this involves security teams harnessing early threat intelligence signals and building defenses against them into their workflows and processes. The result will be a comprehensive new offensive-capacity framework that combines the entirety of the security stack into the most powerful protection approach to date.
Leonid Belkind
Co-Founder and CTO, Torq

AI-ASSISTED WORKFLOWS

AI-assisted workflows will gain popularity in application development. GitLab's 2022 DevSecOps survey found that 31% of respondents now use AI/ML as part of code review, and nearly half said they have full test automation. We'll continue to see this trend upward, as AI/ML will further enable rapid development, security remediation, improved test automation, and better observability.
David DeSanto
VP of Product, GitLab

DYNAMIC WHITE-BOX TESTING

Today, most DevSecOps toolchains use dependency checkers to secure their open-source supply chains, preventing incidents such as Log4Shell, and static code analysis to detect bad practices in their code. On the other hand, dynamic analysis, mostly blackbox, has been the technique used by pentesters and attackers, raising most security issues outside DevSecOps. With the latest advances in leveraging source code, such as coverage-based fuzzing, dynamic testing is finally maturing enough to be used in CI/CD pipelines. New capabilities for deterministic regression testing, deduplication of findings, and showing the causing source code locations make developers the primary user group rather than pentesters.  A nice side benefit is always being ahead of the attacker due to source code possession. I predict that in 2023, dynamic white-box testing will see increased adoption in DevSecOps, at scale.
Sergej Dechand
CEO and Co-Founder, Code Intelligence

LESS IS MORE

In 2023 I believe we'll see rebellion against systems that aren't respectful with our time. Systems that generate ample noise and minimal signal. When it comes to the demands on our attention in 2023 and beyond, less is more. Security technology is one area that has been requiring too much of our attention and energy for too long. It's frustrating because there's so much friction where it isn't necessary. There's a better way but consumers of security technology will have to demand it and developers and engineers have to work on it. One small example: authentication. As we move into 2023 we'll look to WebAuthN, Passkeys, and other passwordless systems to improve the user experience and reduce the burden on IT teams. That's where we'll really start to feel the difference. And with this feeling will come elevated expectations that then get transferred to every other aspect of our IT systems and security environments. Hopefully, it will push us to ask why it can't be simplified?
Justin McCarthy
CTO and Co-Founder, StrongDM

EDUCATION IS KEY

In 2023 and beyond, we'll see increased market education on cloud native. Staffing and lack of knowledge are two of the biggest challenges for cloud-native security. Most DevOps teams are not familiar with security methods, and it isn't their main responsibility. On the other hand, security teams are not familiar with cloud services, Kubernetes, containers and their respective security risks and countermeasures. Educating the market and moving toward a DevSecOps transformation will be critical and widespread in the coming years.
Prashanth Nanjundappa
VP, Product Development, Progress

Share this

Industry News

March 18, 2024

Kubiya.ai announces the launch of its DevOps Digital Agents.

March 18, 2024

Aviatrix® introduced Aviatrix Distributed Cloud Firewall for Kubernetes, a distributed cloud networking and network security solution for containerized enterprise applications and workloads.

March 18, 2024

Stride announces the general availability of Stride Conductor, its new autonomous coding product that transforms the software development landscape.

March 14, 2024

CircleCI unveiled CircleCI releases, which enables developers to automate the release orchestration process directly from the CircleCI UI.

March 13, 2024

Fermyon™ Technologies announces Fermyon Platform for Kubernetes, a WebAssembly platform for Kubernetes.

March 13, 2024

Akuity announced a new offer targeted at Enterprises and businesses where security and compliance are key.

March 13, 2024

New Relic launched new capabilities for New Relic IAST (Interactive Application Security Testing), including proof-of-exploit reporting for application security testing.

March 12, 2024

OutSystems announced AI Agent Builder, a new solution in the OutSystems Developer Cloud platform that makes it easy for IT leaders to incorporate generative AI (GenAI) powered applications into their digital transformation strategy, as well as govern the use of AI to ensure standardization and security.

March 12, 2024

Mirantis announced significant updates to Lens Desktop that makes working with Kubernetes easier by simplifying operations, improving efficiency, and increasing productivity. Lens 2024 Early Access is now available to Lens users.

March 12, 2024

Codezero announced a $3.5 million seed-funding round led by Ballistic Ventures, the venture capital firm dedicated exclusively to funding entrepreneurs and innovations in cybersecurity.

March 11, 2024

Prismatic launched a code-native integration building experience.

March 07, 2024

Check Point® Software Technologies Ltd. announced its Check Point Infinity Platform has been ranked as the #1 Zero Trust Platform in the latest Miercom Zero Trust Platform Assessment.

March 07, 2024

Tricentis announced the launch and availability of SAP Test Automation by Tricentis as an SAP Solution Extension.

March 07, 2024

Netlify announced the general availability of the AI-enabled deploy assist.

March 07, 2024

DataStax announced a new integration with Airbyte that simplifies the process of building production-ready GenAI applications with structured and unstructured data.