DEVOPSdigest

DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact the business in 2023.

SECURITY-FIRST MINDSET

As developers continue to rely on open source code to build applications, hefty security concerns around vulnerabilities and secret leakage loom over organizations. In 2023, we see a mindset shift and full commitment from DevSecOps to shore up these SDLC security gaps and ensure zero trust. Many will migrate to CNAPP platforms incorporating security of the code itself - from development to production on through to runtime. By ‘shifting left’ even further and offering pipeline security and code functionality into one unified platform, teams can adopt a prevention-first mindset that addresses security issues before they become real problems.
Dotan Nahum
Head of Developer Security, Check Point Software Technologies

SECURITY - TOP PRIORITY FOR CIO

Security will be a top priority for CIOs heading into 2023. It hasn't been in the news this year quite as much as it was last year, but it remains the biggest problem that CIOs are facing. While awareness of the problem has certainly increased, I don't think most companies have made real progress in addressing the issues. Ransomware is still a big problem — still a growing problem, in fact, even though we haven't seen as many high-profile attacks as we did in 2021. Or maybe they're just old news. Ransomware operators have added extortion to their bag of tricks. In addition to encrypting data, they will sell it or just release it if the victim doesn't pay. Software supply chain attacks are another huge issue. They don't get quite as much coverage because few people really understand how many pieces of software, and how many different sources, are combined to make any product. Of course, there are many other kinds of attacks. These are the two that CIOs really need to focus on.
Mike Loukides
VP of Emerging Tech Content, O'Reilly Media(link is external)

DEVSECOPS REPLACES DEVOPS

DevSecOps will evolve slowly to replace DevOps in 2023. DevSecOps is an evolution of DevOps that emerged from the need for security considerations to be addressed earlier in the development cycle rather than being bolted on as an afterthought. Far from being yet another add-on to DevOps, DevSecOps is an entire culture and tooling change that puts the responsibility for security at the build stage before shipping features to customers. This paradigm shift is necessary because of the significant increase in cyber attacks on applications. As more organizations embrace serverless, microservice architectures, Docker, Kubernetes, and similar modern-day cloud technologies, security will take center stage eventually becoming a part of DevOps by default.
Brian Galura
CEO, Convox

DEVSECOPS GETS HUGE BOOST

DevSecOps will get a huge boost as more and more organizations with matured/maturing DevOps practices will opt to enhance and integrate security into their DevOps pipelines. Security should be baked-in instead of bolted-on, so a DevSecOps mindset that advocates moving security left and considering security in every stage of DevOps will be the talk of the town and will get huge attention next year. With a lot of upcoming interest and opportunities in the DevSecOps space, we could also expect security vendors to provide umbrella security solutions to secure all stages of DevOps, instead of focusing on individual stages.
Ayush Kaushik
Manager, Product Security, Avalara(link is external)

Going into 2023, we expect Developers will finally grow tired of being the last to know when it comes to application security and revolt against ticketing interface-type tools. Developer teams will have more budget and influence over security testing tools and AppSec providers will invest more in the developer experience. The combination will help drive the widespread adoption of a DevSecOps philosophy.
Scott Gerlach
CSO and Co-Founder, StackHawk(link is external)

DEVOPS MUST OWN SECURITY AND COMPLIANCE

DevOps will need to own security and compliance on some level in 2023 because security control operations will become a more rigorous and critical aspect of their contributions. Security operations owned by DevOps teams must be discretely defined to allow for valid testing of the security controls. Automated testing of deployment processes, data privacy and business continuity will become critical responsibilities of this role. DevOps teammates will need to be conversant in certifications like SOC 2, ISO 27001 and HIPAA to understand their responsibilities and respond to related organizational compliance goals.
Justin Beals
CEO and Co-Founder, Strike Graph(link is external)

PLATFORM TEAMS DRIVE DEVSECOPS

As we enter the New Year, organizations will be looking to balance accelerating modernization efforts while optimizing costs, managing risk and driving revenue. In 2023, I predict we’ll see more organizations implementing platform teams to standardize tools, platforms, to streamline and strengthen software delivery and operations of modern applications. Platform teams are integral to a DevSecOps practice by not only building and running the platform developers use to create new applications that drive business revenue while "shifting left" management and security, and partnering with Cloud Operations team to automate and optimize use of cloud resources. By having teams devoted to running platform as a product, organizations will improve the developer productivity, deliver secure applications continuously and operate applications at scale across clouds.
Ajay Patel
SVP and GM, Modern Applications & Management Business,VMware(link is external)

SECURITY IS ORGANIZATION-WIDE RESPONSIBILITY

As remote development becomes more and more commonplace, software supply chain security will play a more expansive role across the SDLC. Security responsibilities will span from the IDE and extend to applications running in production, continuing the ongoing trend toward security as an organization-wide responsibility.
David DeSanto
VP of Product, GitLab(link is external)

Amid rising cyber threats and endemic vulnerabilities such as Log4Shell, security and cyber resilience needs to be viewed as a shared responsibility that falls on everyone involved in innovation. Organizations who take out cyber-insurance policies will need to demonstrate that all team members, including development and operations, are accountable for delivering secure innovation. Organizations will need to be focused on finding solutions that enable them to build a holistic DevSecOps approach, which will require greater investment into observability platforms that support cross-departmental processes to ensure all teams have the information necessary to minimize risk.
Amit Shah
Director of Product Marketing, Dynatrace(link is external)

Everyone needs to take part in DevSecOps — Up until now, DevSecOps was mostly a discipline for devs, devops, and security teams. But as the tech-stack continues to grow larger and more complex, everyone from product and sales to marketing and support need to be actively involved, as everyone is becoming (low-code) developers. This would be most apparent in areas like IAM (defining identities, passwordless experience management ,and managing application permissions and access-control); CI/CD (feature gating, adjusting, and toggling); and data-enrichment (PII redaction and privacy). These key features dramatically impact customer experiences and business interactions.
Or Weis
CEO & Co-Founder, Permit.io(link is external)

SECURITY SHIFTS LEFT

Most of our users in the test space are being asked to do security testing as part of a shift-left motion. I believe 2023 will see more widespread security testing happening in parallel with application development, rather than at the end, right before release. The ability to add in OWASP Top 10 scanning alongside existing tests will be a differentiator.
Marcus Merrell
VP of Technology Strategy, Sauce Labs(link is external)

Now, the reality is a matter of when, not if, your organization will be the target of an attack. To combat this rising security concern, organizations will need to integrate security within the development process from the very beginning. Integrating security and compliance testing at the upfront will greatly reduce risk and prevent disruptions.
Kevin Thompson
CEO and Executive Chairman, Tricentis(link is external)

COOPERATION BETWEEN TRADITIONAL SECURITY AND SHIFT-LEFT

Lately the market has been focused on the shift left and a lot of resources were invested to educate and build proper security tools to address these issues in cloud native pipelines (SCM security, CI/CD etc). Attackers see that there’s a gap between the shift left stakeholders (developers and devops) and the more traditional security practitioners (CISO office etc). We predict that the cooperation between the more traditional security groups in the organization and the shift left stakeholders will increase in the coming year.
Assaf Morag
Lead Data Analyst, Aqua Security(link is external)

GOING BEYOND SHIFT-LEFT

Our mobile devices are frequently at arm's reach and store personal, sensitive data, so it should be no surprise that this is a primary target of malicious attacks. After another trying year of data breaches and cyber threats, organizations and their development teams must better prioritize cyber resilience and risk-reducing strategies in 2023 for the sake of their customers. To achieve this, teams can introduce a shift left approach to security to implement codes and policies earlier in the development process that identify mobile security gaps and potential weaknesses. However, the most successful teams will integrate these security testing parameters and checkpoints throughout the entire development lifecycle in a continuous and agile manner — taking this a step beyond only "shifting left." Expect to see more development teams bring security analysis into the CI/CD pipeline, including static code and dynamic analysis activities and validating with functional testing and mocking services in the new year.
Eran Kinsbruner
Chief Evangelist, Perforce Software(link is external)

Go to: 2023 DevSecOps Predictions - Part 2