DEVOPSdigest

As part of DEVOPSdigest's 2020 predictions, industry experts offer predictions on how DevSecOps and related technologies will evolve and impact the business in 2020. Part 3 covers Kubernetes, APIs and more.

Start with 2020 DevSecOps Predictions - Part 1

Start with 2020 DevSecOps Predictions - Part 2

Start with 2020 DevOps Predictions

KUBERNETES ENHANCES SECURITY

While the initial adoption of Kuberentes has to do largely with enabling business innovation, the technology offers powerful opportunities to build security directly into the development process. Developers are realizing that if security isn't built in, they will suffer from undetected vulnerabilities, misconfigurations, or other factors out of their control.
Ali Golshan
CTO and Co-Founder, StackRox

DevOps and security teams are now understanding that the dynamic and ephemeral nature of cloud-native applications requires specialized capabilities to understand the moment-to-moment architecture of applications. As such, expect to see distributed tracing and Kubernetes audit log analysis to become standard requirements to manage vulnerabilities and misuse in K8s for DevOps in the upcoming months.
Gadi Naor
Founder and CTO, Alcide

Kubernetes continues to eat the CI/CD worlds. This means more and more companies are seeing the benefits of both containerization as their unit of deployment and Kubernetes as a means of orchestrating those units. These two things can be used to simplify the building, testing, and deployment of applications because they can be implemented in all three steps, as opposed to traditional methods with separate technologies and infrastructures. This trend will continue through 2020, even as FaaS takes off. An opportunity accompanies this — security initiatives will focus on integrating static scanning technologies (e.g. SAST, SCA, as well as configuration and secrets checkers) into these software-defined containers and build and deployment pipelines. Increased sophistication in operating Kubernetes will result in firms "baking in" more hardening and other security-enhancing actions into the packaging, deployment and service mesh creation. And, because these security controls are essentially embedded into orchestration, rather than conducted manually by operators, they are automatically and consistently applied, without fear of operator mistake or attrition.
Ernesto DiGiambattista
Founder, ZeroNorth

API SECURITY

Attacks on application programming interfaces (APIs) will increase in 2020, and business spend to secure them will spike as a result. Unsecure APIs can lead to exposure of massive information loads, from airline ticketing to online ordering. For example, two years ago, a large food retailer leaked nearly 37 million customer records due to unsecure access to its backend server and sequentially numbering customer records. This allowed for easy enumeration of the retailer's entire customer base. Further, just last year, more than 140 airlines had customer information compromised because the booking system allowed anyone to access passenger records just by changing an identifier in the URL. Expect to see an increase in business spend to secure APIs in the coming year to prevent these damaging attacks.
Jonathan DiVincenzo
VP of Product Management, Signal Sciences

API management is ripe for automation with new AI capabilities that protect and control APIs in an intelligent way. This might include API policies that reconfigure dynamically based on traffic, security threats, and identified patterns.
Ann Marie Bond
Senior Manager, Product Management, Software AG

SECURITY FOR SERVERLESS ENVIRONMENTS

Expect serverless adoption to increase — even more than it already has — throughout 2020. The advantages of serverless for reducing operational complexity, enabling greater DevOps efficiency and agility, and delivering better cost efficiencies are becoming (rightfully) too tempting for enterprises to pass up. But DevOps teams in 2020 will also need to develop security strategies that match serverless' specific requirements. I predict many DevOps will find out the hard way that serverless deployments differ considerably from traditional server or containerized deployments. More specifically, serverless architecture does not allow for firewalls, instrumentation agents, IDS or IPS solutions, or other more traditional server security tools. Therefore, implementing an effective and dedicated security solution will become a vital concern for any organization deploying serverless environments in 2020.
Gary Duan
CTO, NeuVector

APPLICATION SECURITY TESTING (AST)

With very high level breaches and hacks happening across industries, application security testing (AST) has become a critical topic of concern. This is giving a high impetus to implementation of practices such as DevSecOps. To keep the complex applications safe, and yet meet the tight go-to-market deadlines, organizations must continuously accelerate efforts to integrate and automate AST across SDLC.
Rajesh Sarangapani
AVP, Cigniti Technologies

DEVSECOPS TOOLS: ZERO VULNERABILITIES

Based on IT Central Station user reviews of DevSecOps solutions, we can expect to see continued improvements in security and code quality next year. Developers and architects reviewing the solution would like the solution to go a step further. They would like their DevSecOps solutions to have zero vulnerabilities with minimal false positives, and the vendors who can build these features into their solutions will likely gain the support of more technical users in 2020.
Russell Rothstein
Founder and CEO, IT Central Station

SECURITY BOTS

The next level of security control is bots that sit in your network, constantly monitoring behavior and use machine learning to determine patterns that are threats.
Ann Marie Bond
Senior Manager, Product Management, Software AG