Spectro Cloud completed a $75 million Series C funding round led by Growth Equity at Goldman Sachs Alternatives with participation from existing Spectro Cloud investors.
DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact development and application security in 2024.
REVERSAL OF SHIFT LEFT MODEL
Taking a step back from Shift Left Awakening: We will see a reversal in the "Shift Left" model, emphasizing the importance of strong security teams creating policies. Integration into CI (DevOps) pipelines will be streamlined, striking a balance between efficiency and security. The focus will be on empowering developers with effective security tools rather than overwhelming them with too many, ensuring a more efficient and secure development process.
Shahar Man
Co-Founder & CEO, Backslash Security
EMA'S 2024 CYBERSECURITY PREDICTIONS
Chris Steffen, VP of Research covering Information Security, Risk, and Compliance Management at Enterprise Management Associates (EMA), and Ken Buckler, Research Analyst covering Information Security at EMA, make 2024 cybersecurity predictions on the Cybersecurity Awesomeness Podcast.
Click here for a direct MP3 download of Episode 41
DEVSECOPS – STANDARD OPERATING PROCEDURE
In 2024, containers and microservices will not just support but will define DevOps practices, solidifying their position at the core of DevSecOps. This evolution will ensure that security is an integral part of the development pipeline, with containers providing a standardized, secure environment and microservices enabling targeted, swift security updates. This framework empowers organizations to build, deploy, and manage applications with agility, without compromising on security. As a result, the essence of DevSecOps — continuous security at speed — becomes the standard operating procedure for development teams.
Keith Cunningham
VP of Strategy, Sylabs
As DevOps tools rise in popularity, they will be a prime target for hackers. This will drive the shift towards DevSecOps to ensure that security is not a final checkpoint but a continual process, embedded from initial design to deployment and maintenance.
Guillaume Moigneu
VP Product, Growth and Monetization, Platform.sh
I predict that 2024 will be the year in which even conservative industries, such as Automotive and MedTech, will embrace DevSecOps with bug and vulnerability detection during development. As these industries are moving to software-defined everything (SDx), even vehicles, that are constantly connected via APIs and push over-the-air software updates, the logical response is to adopt the same DevSecOps mode as cloud-native computing.
Sergej Dechand
CEO and Co-Founder, Code Intelligence
DEVSECOPS 2.0
In a DevSecOps 2.0 world, Cyber teams will (be forced to) adopt developer best practices and be responsible to build, test, release and monitor mobile app security. Using a DevSecOps 2.0 approach, app makers can use mobile application defense automation in the CI/CD pipeline to shift the burden and responsibility for delivering the needed protections from the development team to the cyber team. This way the cybersecurity team can use the same developer best practices to build, test, release and monitor the protection model in the mobile apps on its own, as an equal and independent part of the DevSecOps process.
Chris Roeckl
CPO, Appdome
SECURITY BECOMES PART OF SLDC
In 2024, DevSecOps will experience a paradigm shift in integrating security into the development process. Security will no longer be seen as a separate function but an intrinsic part of the development lifecycle. Security tools and practices will be seamlessly integrated into CI/CD pipelines, enabling automated security checks throughout the software delivery process. Threat intelligence and vulnerability assessments will be leveraged in real-time, providing immediate insights into potential risks. Security champions within development teams will be pivotal in ensuring secure coding practices. The adoption of zero-trust principles will become more prevalent, emphasizing continuous verification and authorization for all users and devices. Overall, 2024 will be a year of heightened security consciousness, where DevSecOps becomes synonymous with agile, secure, and resilient software development. This evolution will protect organizations from cyber threats and foster a culture of security-first mindset within the development community.
Rajesh Sarangapani
SVP and Head of Innovation, Cigniti Technologies
DEVOPS AND SECURITY TEAM COLLABORATION
In the coming year, we expect to see organizations work to close the disconnect between their DevOps and Security teams. By empowering these teams to work more cohesively, companies will have an easier time ensuring that applications and data are protected from security threats and vulnerabilities. Instead of looking within the "inside" of a cloud infrastructure, DevOps and security teams must work together in securing the border guarding each system. By doing so, organizations can maintain a robust in-house DevSecOps cybersecurity program that helps them react to incidents intelligently within minutes based on the uniqueness of each environment.
Or Shoshani
CEO and Founder, Stream Security
A trend expected to continue in 2024 is more need and willingness for collaboration between security and engineering teams. Time and time again, many security risks and vulnerabilities can be traced back to security teams being unaware of what engineering teams are doing and which applications are being created and deployed. Most organizations still haven't built a cultural connection between these two important teams. Over the next 12 months, it is pivotal that organizations place more onus on forming collaborative relationships with software engineering and security teams. The two teams must not be viewed as separate but rather one group working cohesively. Better partnerships will ensure security teams are aware what applications and code exists within their environment and will also lead to security practices being better understood by those creating the software. To facilitate this bond, organizations must ensure that any security solutions purchased helps the software engineering and the security teams work in parallel. As engineers are accustomed to working with solutions that have easy to use, efficient and well-appointed user interfaces (UIs), as they become more involved in the security process, they require the same level of efficiency within security tooling.
Dan Hopkins
VP of Engineering, StackHawk
COMPROMISE - MANAGING RISK AND COST
Both development and security will take a page from site reliability engineering (SRE), quantifying error budgets that represent the best compromise among managing risks and the costs of doing so. This trend will bring engineering best practices to the table, helping organizations manage risks rationally across the board.
Jason Bloomberg
President, Intellyx
DEVSECOPS ALIGNS WITH BUSINESS RISK
In 2024, the next iteration of DevSecOps has to be aligned with business risk. Only once application or cloud security teams can clearly define what is a risk—based on severity, likelihood, and impact — and understand the nature of every software change, can you determine the right-sized response. For a critical vulnerability that's actually used in the code, exploitable via an internet exposed API, deployed to an internet-facing cluster in an application that stores PII and generates 80% of the company's revenue — that should mean blocking a build or pull request. For an exposed test password that's in testing code and is never deployed, that probably means doing nothing. This will require more mature tooling such as application security posture management (ASPM) solutions that go beyond context-less developer guardrails and one-dimensional policies into a platform that provides deep intelligence into application architecture, code, deployment, developers' knowledge and behavior and
Moti Gindi
CPO, Apiiro
Industry News
The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, has announced significant momentum around cloud native training and certifications with the addition of three new project-centric certifications and a series of new Platform Engineering-specific certifications:
Red Hat announced the latest version of Red Hat OpenShift AI, its artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across the hybrid cloud.
Salesforce announced agentic lifecycle management tools to automate Agentforce testing, prototype agents in secure Sandbox environments, and transparently manage usage at scale.
OpenText™ unveiled Cloud Editions (CE) 24.4, presenting a suite of transformative advancements in Business Cloud, AI, and Technology to empower the future of AI-driven knowledge work.
Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade developer portal based on the Backstage project.
Pegasystems announced the availability of new AI-driven legacy discovery capabilities in Pega GenAI Blueprint™ to accelerate the daunting task of modernizing legacy systems that hold organizations back.
Tricentis launched enhanced cloud capabilities for its flagship solution, Tricentis Tosca, bringing enterprise-ready end-to-end test automation to the cloud.
Rafay Systems announced new platform advancements that help enterprises and GPU cloud providers deliver developer-friendly consumption workflows for GPU infrastructure.
Apiiro introduced Code-to-Runtime, a new capability using Apiiro’s deep code analysis (DCA) technology to map software architecture and trace all types of software components including APIs, open source software (OSS), and containers to code owners while enriching it with business impact.
Zesty announced the launch of Kompass, its automated Kubernetes optimization platform.
MacStadium announced the launch of Orka Engine, the latest addition to its Orka product line.
Elastic announced its AI ecosystem to help enterprise developers accelerate building and deploying their Retrieval Augmented Generation (RAG) applications.
Red Hat introduced new capabilities and enhancements for Red Hat OpenShift, a hybrid cloud application platform powered by Kubernetes, as well as the technology preview of Red Hat OpenShift Lightspeed.
Traefik Labs announced API Sandbox as a Service to streamline and accelerate mock API development, and Traefik Proxy v3.2.