DEVOPSdigest

DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact development and application security in 2024.

REVERSAL OF SHIFT LEFT MODEL

Taking a step back from Shift Left Awakening: We will see a reversal in the "Shift Left" model, emphasizing the importance of strong security teams creating policies. Integration into CI (DevOps) pipelines will be streamlined, striking a balance between efficiency and security. The focus will be on empowering developers with effective security tools rather than overwhelming them with too many, ensuring a more efficient and secure development process.
Shahar Man
Co-Founder & CEO, Backslash Security(link is external)

EMA'S 2024 CYBERSECURITY PREDICTIONS

Chris Steffen, VP of Research covering Information Security, Risk, and Compliance Management at Enterprise Management Associates (EMA), and Ken Buckler, Research Analyst covering Information Security at EMA, make 2024 cybersecurity predictions on the Cybersecurity Awesomeness Podcast.

Click here for a direct MP3 download of Episode 41(link is external)

DEVSECOPS – STANDARD OPERATING PROCEDURE

In 2024, containers and microservices will not just support but will define DevOps practices, solidifying their position at the core of DevSecOps. This evolution will ensure that security is an integral part of the development pipeline, with containers providing a standardized, secure environment and microservices enabling targeted, swift security updates. This framework empowers organizations to build, deploy, and manage applications with agility, without compromising on security. As a result, the essence of DevSecOps — continuous security at speed — becomes the standard operating procedure for development teams.
Keith Cunningham
VP of Strategy, Sylabs(link is external)

As DevOps tools rise in popularity, they will be a prime target for hackers. This will drive the shift towards DevSecOps to ensure that security is not a final checkpoint but a continual process, embedded from initial design to deployment and maintenance.
Guillaume Moigneu
VP Product, Growth and Monetization, Platform.sh(link is external)

I predict that 2024 will be the year in which even conservative industries, such as Automotive and MedTech, will embrace DevSecOps with bug and vulnerability detection during development. As these industries are moving to software-defined everything (SDx), even vehicles, that are constantly connected via APIs and push over-the-air software updates, the logical response is to adopt the same DevSecOps mode as cloud-native computing.
Sergej Dechand
CEO and Co-Founder, Code Intelligence(link is external)

DEVSECOPS 2.0

In a DevSecOps 2.0 world, Cyber teams will (be forced to) adopt developer best practices and be responsible to build, test, release and monitor mobile app security. Using a DevSecOps 2.0 approach, app makers can use mobile application defense automation in the CI/CD pipeline to shift the burden and responsibility for delivering the needed protections from the development team to the cyber team. This way the cybersecurity team can use the same developer best practices to build, test, release and monitor the protection model in the mobile apps on its own, as an equal and independent part of the DevSecOps process.
Chris Roeckl
CPO, Appdome(link is external)

SECURITY BECOMES PART OF SLDC

In 2024, DevSecOps will experience a paradigm shift in integrating security into the development process. Security will no longer be seen as a separate function but an intrinsic part of the development lifecycle. Security tools and practices will be seamlessly integrated into CI/CD pipelines, enabling automated security checks throughout the software delivery process. Threat intelligence and vulnerability assessments will be leveraged in real-time, providing immediate insights into potential risks. Security champions within development teams will be pivotal in ensuring secure coding practices. The adoption of zero-trust principles will become more prevalent, emphasizing continuous verification and authorization for all users and devices. Overall, 2024 will be a year of heightened security consciousness, where DevSecOps becomes synonymous with agile, secure, and resilient software development. This evolution will protect organizations from cyber threats and foster a culture of security-first mindset within the development community.
Rajesh Sarangapani
SVP and Head of Innovation, Cigniti Technologies(link is external)

DEVOPS AND SECURITY TEAM COLLABORATION

In the coming year, we expect to see organizations work to close the disconnect between their DevOps and Security teams. By empowering these teams to work more cohesively, companies will have an easier time ensuring that applications and data are protected from security threats and vulnerabilities. Instead of looking within the "inside" of a cloud infrastructure, DevOps and security teams must work together in securing the border guarding each system. By doing so, organizations can maintain a robust in-house DevSecOps cybersecurity program that helps them react to incidents intelligently within minutes based on the uniqueness of each environment.
Or Shoshani
CEO and Founder, Stream Security(link is external)

A trend expected to continue in 2024 is more need and willingness for collaboration between security and engineering teams. Time and time again, many security risks and vulnerabilities can be traced back to security teams being unaware of what engineering teams are doing and which applications are being created and deployed. Most organizations still haven't built a cultural connection between these two important teams. Over the next 12 months, it is pivotal that organizations place more onus on forming collaborative relationships with software engineering and security teams. The two teams must not be viewed as separate but rather one group working cohesively. Better partnerships will ensure security teams are aware what applications and code exists within their environment and will also lead to security practices being better understood by those creating the software. To facilitate this bond, organizations must ensure that any security solutions purchased helps the software engineering and the security teams work in parallel. As engineers are accustomed to working with solutions that have easy to use, efficient and well-appointed user interfaces (UIs), as they become more involved in the security process, they require the same level of efficiency within security tooling.
Dan Hopkins
VP of Engineering, StackHawk(link is external)

COMPROMISE - MANAGING RISK AND COST

Both development and security will take a page from site reliability engineering (SRE), quantifying error budgets that represent the best compromise among managing risks and the costs of doing so. This trend will bring engineering best practices to the table, helping organizations manage risks rationally across the board.
Jason Bloomberg
President, Intellyx(link is external)

DEVSECOPS ALIGNS WITH BUSINESS RISK

In 2024, the next iteration of DevSecOps has to be aligned with business risk. Only once application or cloud security teams can clearly define what is a risk—based on severity, likelihood, and impact — and understand the nature of every software change, can you determine the right-sized response. For a critical vulnerability that's actually used in the code, exploitable via an internet exposed API, deployed to an internet-facing cluster in an application that stores PII and generates 80% of the company's revenue — that should mean blocking a build or pull request. For an exposed test password that's in testing code and is never deployed, that probably means doing nothing. This will require more mature tooling such as application security posture management (ASPM) solutions that go beyond context-less developer guardrails and one-dimensional policies into a platform that provides deep intelligence into application architecture, code, deployment, developers' knowledge and behavior and
Moti Gindi
CPO, Apiiro(link is external)

Go to: 2024 DevSecOps Predictions - Part 2