Red Hat announced a multi-stage alliance to offer customers a greater choice of operating systems to run on Oracle Cloud Infrastructure (OCI).
DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact the business in 2023.
Start with: 2023 DevSecOps Predictions - Part 1
SOFTWARE SUPPLY CHAIN SECURITY
In the wake of multiple high profile software breaches and attacks, a strong focus in the industry has been directed to software supply chain security along with a realization that the way we have historically consumed, evaluated, built, secured and trusted software components is inherently risky. In response, application security leaders are demanding zero-vulnerability software and higher scrutiny by software producers. Vulnerabilities in software are growing in number and severity, and development organizations are unable to keep up. Securing apps and eliminating vulnerabilities is difficult expert work — the majority of engineers don't hhave the skills needed to perform this level of security. In the year ahead, we're going to see significant investments in software supply chain security platforms, tools and workflows that enable developers and dev(sec)ops to automatically deliver secure applications to production, rather than dumping yet another "unfunded/shift-left mandate" on their heads.
Co-Founder and CEO, Slim.AI
As threats to the software supply chain escalate, and with government regulations in the form of executive orders (EO 14028) mandating proper action to be taken, CISOs are compelled to develop and deploy better strategies to secure this area of significant weakness. After years of discussions about DevSecOps, 2023 will bring wide adoption as securing software rises to the top of the CISO priority list. Along with this will come adoption of new technologies that enable DevSecOps and help companies contend with the onslaught of threats to the software supply chain. CISOs will prioritize spend on solutions for software composition analysis, SBOMs, and securing the toolchain, and they will look for better ways to measure the health of open source components.
Senior Director Supply Chain, Aqua Security
Software Supply Chain Attacks Will Make 2023 the Year of the SBOM — An SBOM is a list of every software component that comprises an application and includes every library in the application’s code, as well as services, dependencies, compositions and extensions. Because of the information and visibility, it provides into software supply chains, we predict the SBOM will be widely adopted in 2023. While most of the requirements are taking place at the federal level now, expect the SBOM to spread to commercial markets soon.
Head of Research, DigiCert
The focus on Software Supply Chain Security to prevent the introduction of threats into software and the expedient identification and remediation when those threats are found will extend to include provenance and security of models as well. This will be further extended to focus on transparency in models decisions, auditability of model changes and impacts of those changes, and production performance of models.
Senior Director of Global Software Engineering, Red Hat
SAAS CYBERSECURITY CHALLENGE
Since the pandemic changed business in many ways, we've seen rapid adoption of cloud-based DevOps. As more organizations put software at the forefront of their offering, they also realize that speed to market is significantly faster in SaaS-based applications. In 2023, we should expect to see a lot more SaaS-based market activity, especially in enterprise software development. However, a potential challenge with the move towards SaaS is cybersecurity. Companies are quick to adopt SaaS but they don't necessarily understand how cloud security works as compared to the data center security they are used to. Cybersecurity tools and products are going to surge in the next two to three years as SaaS becomes more mainstay.
Head of Product Engineering and Management, Opsera
API CYBERSECURITY CHALLENGE
APIs will continue to be a security challenge in 2023 while adoption flourishes worldwide across many vertical sectors, including open banking and fintech. APIs are the backbone of modern applications and a must-have for supply chain integrations and digital transformation initiatives. Yet, there remains a pervasive over-confidence when it comes to API security protection. The threat of undocumented APIs is real and underestimated. As a result, API attacks will continue to fly under the radar. We will see that open-source security libraries and vulnerabilities create security issues, and sophisticated bot attacks will remain a threat to API protection.
Senior Director & Technology Evangelist, Application Security & Delivery, Radware
As a result of the continued upsurge of API development and integrations, DevOps and security teams must continue to work more closely together to ensure APIs are protected throughout all stages of their lifecycle. The headlines about API security incidents continue to hit — the latest being Optus setting aside $140M to cover costs related to its API breach. Look for organizations to start adopting more stringent API governance strategies so they can standardize how APIs are built, documented, deployed and maintained across cross-functional teams. Security teams will be looking to provide protection at runtime and also feed learnings from attackers' reconnaissance activities back to development teams so they can strengthen future APIs. In 2023, organizations will complement the urgent priority of runtime protection with additional shift-left practices so they can maximize API protection.
Field CTO, Salt Security
LOW-CODE CYBERSECURITY CHALLENGE
In 2023, we will see low code platforms become the next target of software supply chain attacks. Developers will have to navigate ecosystems comprised of powerful and attractive extension modules riddled with backdoors, info stealers and other malicious injected code. As low code platforms gain momentum and their ecosystems grow through community generated modules and plug-ins, it will only be a matter of time before these platforms will be the target of bad actors and unsuspecting users will be faced with malicious code in their applications. To make things worse, low code will democratize application development, opening the art and science of coding to untrained and unsuspecting users who can be easily tricked into clicking typosquatted and crafted links. Even professional developers — who are fully aware of the risks, trained in secure development, and knowledgeable about their ecosystems — have fallen victim to this more than once. Moving forward, casual, untrained users must learn to navigate the large ecosystems of enticing plugins and modules while steering clear of the dangers of software supply chain attacks.
Director, Threat Intelligence, Radware
AUTOMATION ACCELERATES DEVSECOPS
As organizations look ahead to 2023, automation will be a priority in maximizing shifting left principles and maintaining high security standards. Building strong, secure products throughout the software development life cycle requires continuous security integration in the delivery pipeline. Silos between developer, business development and testing teams have historically created gaps in the feedback loops leading to a slower product rollout. However, with the increased adoption of DevSecOps principles for continuous testing and deployment, teams across all business units will begin to codify their shift left practices with automation and increase communication in an effort to reduce failure. We can expect to see how such automation will further accelerate the adoption of DevSecOps. Compliance automation tools will play a key role in strengthening security and compliance policies across applications and infrastructure.
VP, Product Development, Progress
Security Automation’s Proactive Footprint Continues Expanding: Rather than focusing on retroactively building workflows and processes based on historic attacks, security automation deployments will shift to a proactive approach to help prevent attacks before they happen. Part of this involves security teams harnessing early threat intelligence signals and building defenses against them into their workflows and processes. The result will be a comprehensive new offensive-capacity framework that combines the entirety of the security stack into the most powerful protection approach to date.
Co-Founder and CTO, Torq
AI-assisted workflows will gain popularity in application development. GitLab's 2022 DevSecOps survey found that 31% of respondents now use AI/ML as part of code review, and nearly half said they have full test automation. We'll continue to see this trend upward, as AI/ML will further enable rapid development, security remediation, improved test automation, and better observability.
VP of Product, GitLab
DYNAMIC WHITE-BOX TESTING
Today, most DevSecOps toolchains use dependency checkers to secure their open-source supply chains, preventing incidents such as Log4Shell, and static code analysis to detect bad practices in their code. On the other hand, dynamic analysis, mostly blackbox, has been the technique used by pentesters and attackers, raising most security issues outside DevSecOps. With the latest advances in leveraging source code, such as coverage-based fuzzing, dynamic testing is finally maturing enough to be used in CI/CD pipelines. New capabilities for deterministic regression testing, deduplication of findings, and showing the causing source code locations make developers the primary user group rather than pentesters. A nice side benefit is always being ahead of the attacker due to source code possession. I predict that in 2023, dynamic white-box testing will see increased adoption in DevSecOps, at scale.
CEO and Co-Founder, Code Intelligence
LESS IS MORE
In 2023 I believe we'll see rebellion against systems that aren't respectful with our time. Systems that generate ample noise and minimal signal. When it comes to the demands on our attention in 2023 and beyond, less is more. Security technology is one area that has been requiring too much of our attention and energy for too long. It's frustrating because there's so much friction where it isn't necessary. There's a better way but consumers of security technology will have to demand it and developers and engineers have to work on it. One small example: authentication. As we move into 2023 we'll look to WebAuthN, Passkeys, and other passwordless systems to improve the user experience and reduce the burden on IT teams. That's where we'll really start to feel the difference. And with this feeling will come elevated expectations that then get transferred to every other aspect of our IT systems and security environments. Hopefully, it will push us to ask why it can't be simplified?
CTO and Co-Founder, StrongDM
EDUCATION IS KEY
In 2023 and beyond, we'll see increased market education on cloud native. Staffing and lack of knowledge are two of the biggest challenges for cloud-native security. Most DevOps teams are not familiar with security methods, and it isn't their main responsibility. On the other hand, security teams are not familiar with cloud services, Kubernetes, containers and their respective security risks and countermeasures. Educating the market and moving toward a DevSecOps transformation will be critical and widespread in the coming years.
VP, Product Development, Progress