DEVOPSdigest

As part of the 2022 DevOps Predictions list, DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact the business in 2022. This is Part 2.

Increased Scrutiny on Software Supply Chain Security

As part of the executive order to improve the nation's cybersecurity previously mentioned, one area of focus is the need to enhance software supply chain security. There are many aspects included that most would consider industry best practice of a robust DevSecOps program, but one area that will see increased scrutiny is providing the purchaser, the government in this example, a software bill of materials. This would be a complete list of all software components leveraged within the software solution along with where it comes from. The expectation is that everything that is used within or can affect your software, such as open source, is understood, versions tracked, scrutinized for security issues & risks, assessed for vulnerabilities, and monitored, just as you do with any in-house developed code. This will have an impact on organizations that both consume and those who deliver software services. Considering this can be very manual and time consuming, we could expect that Third Party Risk Management teams will likely play a key role in developing programs to track and assess software supply chain security, especially considering they are usually the front line team who also receives inbound security questionnaires from their business partners.
John Hellickson
Cyber Executive Advisor, Coalfire

DEVSECOPS HARNESSES AUTOMATION

Building strong, secure products throughout the software development life cycle requires continuous security integration in the delivery pipeline. Silos between developer, business development and testing teams continues to create gaps in the feedback loops leading to a slower product rollout. However, with the increased adoption of DevSecOps principles for continuous testing and deployment, teams across all business units should codify their shift left practices with automation and increase communication in an effort to reduce failure. As organizations look ahead to 2022, automation will be a priority in maximizing shifting left principles and maintaining high security standards.
Prashanth Nanjundappa
Senior Director and Head of Chef Products, Progress

Mobile apps are notoriously insecure, with study after study showing that a majority lack even the most basic security protections. Consumers haven't yet revolted, but only because they can't differentiate between secure and insecure apps. Surveys show consumers strongly value security. Apple is already marketing the iPhone on privacy and security. App publishers will follow suit by marketing the security of their apps next year. But to do so, they need to enable mobile DevSecOps, which is essentially impossible with current methods, especially since for many organizations, DevSecOps is all about testing, and testing isn't enough. Security must be implemented from the start and vulnerabilities must be fixed once identified. While Mobile DevOps uses CI/CD tools to automate the building of mobile apps and deploy these apps into production, security implementation is still mostly manual, which is very slow. Most security requirements don't make it into releases, and even identified vulnerabilities often don't get fixed. To overcome this obstacle to DevSecOps, mobile development will increasingly automate mobile app security implementation in 2022.
Tom Tovar
CEO and Co-Creator, Appdome

CONTAINER SECURITY AUTOMATION

DevOps and DevSecOps teams at enterprises regulated by PCI-DSS, HIPAA, GDPR, and other strict compliance frameworks will see an accelerated push into container security automation in 2022. Automated processes are quickly becoming a requisite strategy to keep cloud native environments continually in-line with regulations. And as more DevOps teams acknowledge automation as the only realistic method for achieving data security at the scale these environments require, expect teams to leverage automated scanning for YAML files and other Kubernetes resources to address misconfigurations and remove risk.
Fei Huang
Chief Strategy Officer, NeuVector

Low-Code Security Automation

In 2022, automation will grow beyond the Security Operations Center (SOC) to serve as a system of record for the entire security organization. As companies struggle to adequately staff security teams — and fallout from The Great Resignation adds additional stress across the organization — automation will help employees overcome process and data fatigue. Companies will seek to use low-code automation to harness the collective knowledge of their entire security organization and form a centralized system of record for operational data.
Cody Cornell
Co-Founder and Chief Strategy Officer, Swimlane

DEVSECOPS HARNESSES AI

Cloud-native development will become the preferred way to simplify multi-cloud architectures driven predominantly by APIs with more robust security products leveraging AI and ML to provide insightful and predictive security in a more material way.
Sean Davis
Chief Security Architect, Transunion, and DevOps Institute Ambassador

DEVSECOPS HARNESSES AI AND AUTOMATION

The transition from DevOps to DevSecOps will harness the combination of AI and automation, redefining software development in 2022. Supply chain attacks, data mishandlings and not addressed known vulnerabilities over the last year made it clear that DevSecOps is the next stage of DevOps and the driving force that adds value, speed, and security to all stages of the SDLC. As we shift to that next stage, the combination of AI and automation to manage laborious security and CI/CD tasks inherent to cloud-native software development will save teams time while empowering them to proactively address any issues in the SDLC — enabling them to become an even more essential piece of business strategies.
Andreas Grabner
Director of Strategic Partnerships, Dynatrace

DEVSECOPS TOOL CONSOLIDATION

In the area of AppSec, organizations have been implementing static analysis tools, interactive application security testing tools, and software composition analysis tools (among others) with the desire to move quickly and enact a DevSecOps culture. And to do so in the year ahead, I'd like to see more strategic tooling management. There will be a continued push to run these tools faster, get more actionable results and also reduce excess noise created by the defects being identified. Organizations do not want to waste developers' time combing through a host of duplicate defects or fixing defects that are not exploitable. Thus, consolidating results from multiple tools and providing a prioritized list of defects will become a priority.
Ian Hall
Head of Client Services, APAC, Synopsys

DEVSECOPS LEVERAGES TEST AUTOMATION

Ultimately, modern test automation allows developers to focus on making sure their builds don't fall short of the user story. And DevSecOps leaders, in 2022, will benefit from using modern (functional and end-to-end) test automation to make sure known and unknown vulnerabilities don't go live.
Matt Wyman
Chief Product Officer, Sauce Labs

CLOUD-NATIVE APPLICATION PROTECTION PLATFORMS (CNAPP)

A CISO recently asked me: "I'm facing a growing stream of vulnerabilities coming from our CI/CD pipelines on the one hand, while our SecOps team is flooded with alerts and configuration issues from our production environment. How do I reconcile those separate streams and focus on what's really important?" In the wake of these challenges, 2022 will see an emergence of CNAPPs, or cloud native application protection platforms, an emerging category of security solutions recently defined by Gartner to help identify, assess, prioritize, and adapt to risk in cloud native applications, infrastructure, and configurations. The prevalence of large-scale cloud native deployments is forcing enterprises to combine "shift left" DevSecOps, intelligent automation, CSPM (cloud security posture management) and CWPPs (cloud workload protection platforms), to bring efficiency and speed to cloud native security.
Rani Osnat
SVP Strategy, Aqua Security

SECURITY MORE ENGAGED IN THE BUSINESS

In some companies, Cybersecurity teams are more participative on business initiatives as real partners and this will be more effective during 2022. Without Security and Privacy by design new applications will not be able to be launched so, instead of blockers and gatekeepers, security advisors will be able to join to the planning phases and bring Threat Modeling expertise, for example, for those who never thought about it, bringing more value and less friction to software releases and developer teams.
Tiago Moreira Soares
Solution Engineer, BlazeMeter by Perforce

DEVSECOPS EDUCATION IS CRITICAL

Increased market education on cloud native: Staffing and lack of knowledge are two of the biggest challenges for cloud native security. DevOps teams are not familiar with security methods, and it isn't their main responsibility. On the other hand, security teams are not familiar with cloud services, Kubernetes, containers, and their respective security risks and countermeasures. Educating the market and moving toward a DevSecOps transformation will be critical in 2022.
Rani Osnat
SVP Strategy, Aqua Security