Broadcom announced the general availability of VMware Tanzu Platform 10 that establishes a new layer of abstraction across Cloud Foundry infrastructure foundations to make it easier, faster, and less expensive to bring new applications, including GenAI applications, to production.
DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact development and application security in 2024.
REVERSAL OF SHIFT LEFT MODEL
Taking a step back from Shift Left Awakening: We will see a reversal in the "Shift Left" model, emphasizing the importance of strong security teams creating policies. Integration into CI (DevOps) pipelines will be streamlined, striking a balance between efficiency and security. The focus will be on empowering developers with effective security tools rather than overwhelming them with too many, ensuring a more efficient and secure development process.
Shahar Man
Co-Founder & CEO, Backslash Security
EMA'S 2024 CYBERSECURITY PREDICTIONS
Chris Steffen, VP of Research covering Information Security, Risk, and Compliance Management at Enterprise Management Associates (EMA), and Ken Buckler, Research Analyst covering Information Security at EMA, make 2024 cybersecurity predictions on the Cybersecurity Awesomeness Podcast.
Click here for a direct MP3 download of Episode 41
DEVSECOPS – STANDARD OPERATING PROCEDURE
In 2024, containers and microservices will not just support but will define DevOps practices, solidifying their position at the core of DevSecOps. This evolution will ensure that security is an integral part of the development pipeline, with containers providing a standardized, secure environment and microservices enabling targeted, swift security updates. This framework empowers organizations to build, deploy, and manage applications with agility, without compromising on security. As a result, the essence of DevSecOps — continuous security at speed — becomes the standard operating procedure for development teams.
Keith Cunningham
VP of Strategy, Sylabs
As DevOps tools rise in popularity, they will be a prime target for hackers. This will drive the shift towards DevSecOps to ensure that security is not a final checkpoint but a continual process, embedded from initial design to deployment and maintenance.
Guillaume Moigneu
VP Product, Growth and Monetization, Platform.sh
I predict that 2024 will be the year in which even conservative industries, such as Automotive and MedTech, will embrace DevSecOps with bug and vulnerability detection during development. As these industries are moving to software-defined everything (SDx), even vehicles, that are constantly connected via APIs and push over-the-air software updates, the logical response is to adopt the same DevSecOps mode as cloud-native computing.
Sergej Dechand
CEO and Co-Founder, Code Intelligence
DEVSECOPS 2.0
In a DevSecOps 2.0 world, Cyber teams will (be forced to) adopt developer best practices and be responsible to build, test, release and monitor mobile app security. Using a DevSecOps 2.0 approach, app makers can use mobile application defense automation in the CI/CD pipeline to shift the burden and responsibility for delivering the needed protections from the development team to the cyber team. This way the cybersecurity team can use the same developer best practices to build, test, release and monitor the protection model in the mobile apps on its own, as an equal and independent part of the DevSecOps process.
Chris Roeckl
CPO, Appdome
SECURITY BECOMES PART OF SLDC
In 2024, DevSecOps will experience a paradigm shift in integrating security into the development process. Security will no longer be seen as a separate function but an intrinsic part of the development lifecycle. Security tools and practices will be seamlessly integrated into CI/CD pipelines, enabling automated security checks throughout the software delivery process. Threat intelligence and vulnerability assessments will be leveraged in real-time, providing immediate insights into potential risks. Security champions within development teams will be pivotal in ensuring secure coding practices. The adoption of zero-trust principles will become more prevalent, emphasizing continuous verification and authorization for all users and devices. Overall, 2024 will be a year of heightened security consciousness, where DevSecOps becomes synonymous with agile, secure, and resilient software development. This evolution will protect organizations from cyber threats and foster a culture of security-first mindset within the development community.
Rajesh Sarangapani
SVP and Head of Innovation, Cigniti Technologies
DEVOPS AND SECURITY TEAM COLLABORATION
In the coming year, we expect to see organizations work to close the disconnect between their DevOps and Security teams. By empowering these teams to work more cohesively, companies will have an easier time ensuring that applications and data are protected from security threats and vulnerabilities. Instead of looking within the "inside" of a cloud infrastructure, DevOps and security teams must work together in securing the border guarding each system. By doing so, organizations can maintain a robust in-house DevSecOps cybersecurity program that helps them react to incidents intelligently within minutes based on the uniqueness of each environment.
Or Shoshani
CEO and Founder, Stream Security
A trend expected to continue in 2024 is more need and willingness for collaboration between security and engineering teams. Time and time again, many security risks and vulnerabilities can be traced back to security teams being unaware of what engineering teams are doing and which applications are being created and deployed. Most organizations still haven't built a cultural connection between these two important teams. Over the next 12 months, it is pivotal that organizations place more onus on forming collaborative relationships with software engineering and security teams. The two teams must not be viewed as separate but rather one group working cohesively. Better partnerships will ensure security teams are aware what applications and code exists within their environment and will also lead to security practices being better understood by those creating the software. To facilitate this bond, organizations must ensure that any security solutions purchased helps the software engineering and the security teams work in parallel. As engineers are accustomed to working with solutions that have easy to use, efficient and well-appointed user interfaces (UIs), as they become more involved in the security process, they require the same level of efficiency within security tooling.
Dan Hopkins
VP of Engineering, StackHawk
COMPROMISE - MANAGING RISK AND COST
Both development and security will take a page from site reliability engineering (SRE), quantifying error budgets that represent the best compromise among managing risks and the costs of doing so. This trend will bring engineering best practices to the table, helping organizations manage risks rationally across the board.
Jason Bloomberg
President, Intellyx
DEVSECOPS ALIGNS WITH BUSINESS RISK
In 2024, the next iteration of DevSecOps has to be aligned with business risk. Only once application or cloud security teams can clearly define what is a risk—based on severity, likelihood, and impact — and understand the nature of every software change, can you determine the right-sized response. For a critical vulnerability that's actually used in the code, exploitable via an internet exposed API, deployed to an internet-facing cluster in an application that stores PII and generates 80% of the company's revenue — that should mean blocking a build or pull request. For an exposed test password that's in testing code and is never deployed, that probably means doing nothing. This will require more mature tooling such as application security posture management (ASPM) solutions that go beyond context-less developer guardrails and one-dimensional policies into a platform that provides deep intelligence into application architecture, code, deployment, developers' knowledge and behavior and
Moti Gindi
CPO, Apiiro
Industry News
Tricentis announced the expansion of its test management and analytics platform, Tricentis qTest, with the launch of Tricentis qTest Copilot.
Redgate is introducing two new machine learning (ML) and artificial intelligence (AI) powered capabilities in its test data management and database monitoring solutions.
Upbound announced significant advancements to its platform, targeting enterprises building self-service cloud environments for their developers and machine learning engineers.
Edera announced the availability of Am I Isolated, an open source container security benchmark that probes users runtime environments and tests for container isolation.
Progress announced 10 years of partnership with emt Distribution — a leading cybersecurity distributor in the Middle East and Africa.
Port announced $35 million in Series B funding, bringing its total funding to $58M to date.
Parasoft has made another step in strategically integrating AI and ML quality enhancements where development teams need them most, such as using natural language for troubleshooting or checking code in real time.
MuleSoft announced the general availability of full lifecycle AsyncAPI support, enabling organizations to power AI agents with real-time data through seamless integration with event-driven architectures (EDAs).
Numecent announced they have expanded their Microsoft collaboration with the launch of Cloudpager's new integration to App attach in Azure Virtual Desktop.
Progress announced the completion of the acquisition of ShareFile, a business unit of Cloud Software Group, providing a SaaS-native, AI-powered, document-centric collaboration platform, focusing on industry segments including business and professional services, financial services, industrial and healthcare.
Incredibuild announced the acquisition of Garden, a provider of DevOps pipeline acceleration solutions.
The Open Source Security Foundation (OpenSSF) announced an expansion of its free course “Developing Secure Software” (LFD121).
Redgate announced that its core solutions are listed in Amazon Web Services (AWS) Marketplace.
LambdaTest introduced a suite of new features to its AI-powered Test Manager, designed to simplify and enhance the test management experience for software development and QA teams.