Broadcom announced the general availability of VMware Tanzu Platform 10 that establishes a new layer of abstraction across Cloud Foundry infrastructure foundations to make it easier, faster, and less expensive to bring new applications, including GenAI applications, to production.
As part of DEVOPSdigest's 2020 predictions, industry experts offer predictions on how DevSecOps and related technologies will evolve and impact the business in 2020. Part 2 offers predictions about shifting left, automation and more.
Start with 2020 DevSecOps Predictions - Part 1
Start with 2020 DevOps Predictions
SHIFTING LEFT
It's time for DevSecOps to really start catching on. The increase in cyber incidents should be enough warning for organizations that they have to start doing a better job with cybersecurity and AppSec. DevSecOps means getting security to permeate your entire process and organization. Part of this is testing early and often, which is achieved with technologies like service virtualization and modern test automation tools. Organizations that are serious about security will shift even further left by building code and systems that are more secure in the first place. This will be done like other industries by relying on known best practices as embodied in proven quality, safety, and security coding standards like MISRA, UL 2900, and CERT.
Arthur Hicken
Evangelist, Parasoft
Security will continue to "Shift Left" (with a little help from the cloud). The rise of cloud infrastructure will be a positive force in driving this change. DevOps will help — ensuring the value of security is front and center. As security is tackled early in the development process, companies will no longer be able to sidestep or delay security processes and procedures, let alone question if they're affordable.
Tim Armandpour
SVP of Engineering, PagerDuty
DevSecOps will shift left as enterprises prioritize security and employee privacy: A reported 53% of online users are currently more concerned about their online privacy compared to a year ago. With heightened privacy concerns, there will be an increased focus on addressing both corporate security and user privacy concerns much earlier in the development cycle. Dev teams will start investigating tech that provides granular controls that address both security and privacy, such as app level security. In parallel, teams will also investigate how to automate security integration into the development lifecycle. Cybersecurity programming skills are in short supply and there is no cost effective way for teams to address the growing dev demands through solely manual coding. Having security automatically integrated addresses the mundane nature of certain repeatable processes, freeing up developer time. More importantly, automation that brings in security tech early in the lifecycle allows the entire solution to be tested at once, again saving dev cycles. If security isn't shifted left (i.e., brought into the dev cycle early) testing will have to be repeated once security is added in.
Nikfar Khaleeli
VP of Products, Blue Cedar
THINKING RIGHT
There are more apps in production than before, and the risk of apps being breached at this stage is at an all-time high. Apps in production are most vulnerable, with a higher time to fix and window of exposure. Plus, with most development teams short on resources, it's often hard for them to focus on the security aspect. Therefore, these apps are easy for hackers to exploit. In fact, an average of more than 50% of apps are always vulnerable for organizations that don't have the right secure development practices in place. When you "think right" you are: starting with highest-risk apps in production to find and fix vulnerabilities; incorporating security measures at the most critical points in the software lifecycle (SLC), starting with production ; integrating security throughout the SLC from production all the way to development. In 2020, we will see this approach being adopted more widely.
Setu Kulkarni
VP, Strategy and Business Development, WhiteHat Security
AUTOMATION OF SECURITY
We're going to see security engineering — DevSecOps — become actual practice. Teams will be writing more code that automates security controls and compliance requirements. The need here is inevitable and urgent: because so much of this cloud-native world is highly dynamic, with so many moving parts, we can no longer get by with people manually doing security or compliance checks. Security and compliance controls must be automated if we are going to truly realize the time-to-market promise of containerization.
Tim Hinrichs
CTO and Co-Founder, Styra
In 2020, we will see organizations automating enforcement, remediation, and response as it relates to cybersecurity. Trying to "Shift Left," cover the middle, and respond to runtime attacks is simply too much to handle without tapping into the power of automation. At the same time, security automation is risky. What if you disrupt services and cause an outage? Now that we have automated most every other piece in the development lifecycle, it's time to figure out how to take security automation to the next level. Just as technology and automation has empowered developers and applications, it too will empower security. In 2020, we will see the difficult and complex security issues addressed with automation. This will extend from early enforcement before deployment, to continuous security of infrastructure, to automating incident response at run-time.
James Condon
Director of Research, Lacework
Security "policy as code" — and overall, easier security automation — will change how DevOps (and DevSecOps) teams approach container security in 2020. Kubernetes ConfigMaps and Custom Resource Definitions (CRDs) are making it possible for configurations and rules to be automated right into the CI/CD and DevOps pipeline. Because of this, DevOps teams in 2020 will be much better equipped to analyze application behavior and set security policies for any and all workload deployments via YAML files. Expect this evolution of more efficient and automated security integration processes to be a particularly welcome change for DevOps.
Gary Duan
CTO, NeuVector
DEVSECOPS BUILT INTO CI
With the rising number of data breaches and increased emphasis on data privacy regulations such as PSD2 and GDPR both in the US and globally, DevOps-savvy organizations will be forced to prioritize diligence in security measures over time to market in the year ahead. As new regulations are put into place, more application developers will be mandated to build strict security policies directly within code. There will be an uptick in DevOps tools that cater to automating more compliance-related tasks within infosec teams, thus incorporating security and compliance measures into every day CI (continuous integration) workflows.
Sid Phadkar
Senior Product Manager, Akamai
DEVSECOPS UNLOCKS POWER OF THE CLOUD
As enterprises realize the necessity and opportunity of integrating security into the CI/CD pipeline in 2020, they will simultaneously unlock the promise of the cloud for extreme agility while improving overall security and compliance. As a bonus, doing this well can eliminate the historical conflict between application/development and security and turn it into a positive, beneficial collaboration.
Reuven Harrison
CTO and Co-founder, Tufin
Industry News
Tricentis announced the expansion of its test management and analytics platform, Tricentis qTest, with the launch of Tricentis qTest Copilot.
Redgate is introducing two new machine learning (ML) and artificial intelligence (AI) powered capabilities in its test data management and database monitoring solutions.
Upbound announced significant advancements to its platform, targeting enterprises building self-service cloud environments for their developers and machine learning engineers.
Edera announced the availability of Am I Isolated, an open source container security benchmark that probes users runtime environments and tests for container isolation.
Progress announced 10 years of partnership with emt Distribution — a leading cybersecurity distributor in the Middle East and Africa.
Port announced $35 million in Series B funding, bringing its total funding to $58M to date.
Parasoft has made another step in strategically integrating AI and ML quality enhancements where development teams need them most, such as using natural language for troubleshooting or checking code in real time.
MuleSoft announced the general availability of full lifecycle AsyncAPI support, enabling organizations to power AI agents with real-time data through seamless integration with event-driven architectures (EDAs).
Numecent announced they have expanded their Microsoft collaboration with the launch of Cloudpager's new integration to App attach in Azure Virtual Desktop.
Progress announced the completion of the acquisition of ShareFile, a business unit of Cloud Software Group, providing a SaaS-native, AI-powered, document-centric collaboration platform, focusing on industry segments including business and professional services, financial services, industrial and healthcare.
Incredibuild announced the acquisition of Garden, a provider of DevOps pipeline acceleration solutions.
The Open Source Security Foundation (OpenSSF) announced an expansion of its free course “Developing Secure Software” (LFD121).
Redgate announced that its core solutions are listed in Amazon Web Services (AWS) Marketplace.
LambdaTest introduced a suite of new features to its AI-powered Test Manager, designed to simplify and enhance the test management experience for software development and QA teams.