Spectro Cloud completed a $75 million Series C funding round led by Growth Equity at Goldman Sachs Alternatives with participation from existing Spectro Cloud investors.
DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact development and application security in 2024. Part 3 looks at more issues and solutions.
Start with: 2024 DevSecOps Predictions - Part 1
Start with: 2024 DevSecOps Predictions - Part 2
LARGE LANGUAGE MODELS IMPACT SECURITY
In 2024, as Large Language Models (LLMs) become increasingly ubiquitous, we can anticipate a growing concern in the realm of developer security.
There are two key aspects that warrant attention:
■ Emergence of Malicious Open-Source Packages: In the past, crafting a malicious open source package required a level of domain expertise. However, the widespread availability of LLMs has lowered the entry barrier, making it feasible for anyone with a computer and an internet connection to create malicious packages. Consequently, we should expect a surge in cyberattacks, characterized by increased sophistication and a broader linguistic spectrum due to the ease of language adaptation.
■ Security Measures for LLM Adoption: With the integration of LLMs into various processes, companies will need to fortify their security defenses. For those consuming LLMs through APIs, traditional threats such as injection vulnerabilities will persist, but new risks will emerge, like verifying the input and output of LLMs to ensure they don't compromise the organization's network or contain malicious instructions. Companies opting to run LLMs in-house will encounter the challenge of managing a new technology stack, involving permissions, restrictions, and more.
In summary, the wider adoption of LLMs will have ripple effects, not only on hackers seeking to exploit vulnerabilities but also on security services working to safeguard digital assets and networks.
Ori Abramovsky
Head of Data Science, Check Point Software Technologies
EMA'S 2024 CYBERSECURITY PREDICTIONS
Chris Steffen, VP of Research covering Information Security, Risk, and Compliance Management at Enterprise Management Associates (EMA), and Ken Buckler, Research Analyst covering Information Security at EMA, make 2024 cybersecurity predictions on the Cybersecurity Awesomeness Podcast.
Click here for a direct MP3 download of Episode 41
AI IMPROVES API SECURITY
API security evolves as AI enhances offense-defense strategies: In 2023, AI began transforming cybersecurity, playing pivotal roles both on the offensive and defensive security fronts. Traditionally, identifying and exploiting complex, one-off API vulnerabilities required human intervention. AI is now changing this landscape, automating the process, enabling cost-effective, large-scale attacks. In 2024, I predict a notable increase in the sophistication and scalability of attacks. We will witness a pivotal shift as AI becomes a powerful tool for both malicious actors and defenders, redefining the dynamics of digital security.
Shay Levi
CTO and Co-Founder, Noname Security
OPEN SOURCE PRODUCT SECURITY TEAMS
In 2024, we see the rise of dedicated open source product security teams within organizations. As open source continues to expand its footprint within commercial products, product security groups will begin building out dedicated teams focused exclusively on the security of the open source components that make up much of the source code in their products.
Donald Fischer
CEO and Co-Founder, Tidelift
CONTAINER PROTECTION
In 2024, I think we're going to see DevOps teams work more closely with their CISOs or IT security leads to protect containerized environments. Regulations such as GDPR, PCI, and HIPAA are making it increasingly important for organizations to protect and back up data that is vulnerable to increasingly sophisticated cyber threats like Ransomware, and more often than not, that data is in containers. Nearly 9 out of 10 companies today are using containers in development to drive rapid innovation. Although Kubernetes is known to have strict security protocols that help block access to components outside of a cluster, it's definitely not impenetrable. Misconfigurations, missing container replacements, and gaps with backing up create vulnerabilities that attackers are actively exploiting. Warm cloud backups to speed up recovery times during any future downtime incidents, regular scanning, and running containers with the least privileges possible should all be priorities in the year ahead.
Faiz Khan
CEO, Wanclouds
DevOps Adopts Cloud-based Code Signing
In 2023, the CA/Browser Forum passed a new baseline requirement for how code signing certificates and keys are to be securely stored. This was a direct result of several high profile cyberattacks related to compromised code signing keys and processes. While code signing has become essential to proving the authenticity, integrity and security of software, it is still an afterthought for many development organizations. DevOps teams will use the new CA/B Forum requirements to reinvent their code signing processes. The popularity of SaaS code signing with a cloud-based HSM will enable simplified and centralized code signing processes, support distributed developers and meet the CA/B Forum requirements – promoting speed, agility and security through the software development lifecycle.
Murali Palanisamy
CTO, AppViewX
CLUSTERED ARCHITECTURES
As businesses increasingly adopt containerized and microservices architectures for their application delivery, I believe that a notable shift towards enhanced segmentation within clusters is on the horizon. This evolution is particularly evident in the growing prominence of Kubernetes as a primary delivery method in the cloud. Organizations are poised to invest significant efforts in fortifying the security and segmentation of clustered architectures at the container level. This proactive approach recognizes the pivotal role of secure containerization and microservices in modern software development. The future landscape is one where the nuances of clustered environments are carefully addressed to not only optimize performance but, more crucially, to bolster the resilience and security of applications as they navigate the dynamic and interconnected realms of containerized and microservices-based infrastructures in multi-cloud vendor environment.
Erez Tadmor
Cybersecurity Evangelist, Tufin
APPLICATION SHIELDING
Application shielding will continue to grow in adoption as organizations realize its value in the DevSecOps framework. Application shielding helps DevSecOps teams work more efficiently by embedding protections to secure source code and IP from reverse-engineering and tampering attempts; IT and security teams will need a mobile app protection platform that meshes with a DevSecOps framework or risk being further siloed from development team efforts.
RJT Keating
SVP of Corporate Development, Zimperium
HARDWARE ACCELERATORS
As DevSecOps matures in 2024, we foresee a deeper fusion with hardware accelerators, optimizing security task efficiency. This synergy will accelerate development workflows and strengthen security postures, narrowing potential attack vectors. For containerized applications, this progress is crucial — enhancing governance, ensuring the deployment of secure containers, and swiftly neutralizing threats. Such advancements are key to advancing the security and performance duality, especially in high-stakes, performance-sensitive environments.
Keith Cunningham
VP of Strategy, Sylabs
MORE OPTIONS FOR DEVELOPERS
Developers will begin to have more options to protect and restore scripts, configurations, and code for applications they are developing across the application development lifecycle. This, in turn, will help make the critical services and configurations essential to run modern data applications available and recoverable in the event of simple human error or malicious actors.
Andy Fernandez
Director, Product Management, HYCU
2024: THE YEAR OF SBOM
2024 will be the year of the Software Bill of Materials (SBOM). In 2024, the software landscape is poised for significant changes, with a growing emphasis on SBOMs. As concerns about supply chain attacks continue to escalate, compliance measures will tighten, due to the increasing frequency and visibility of such incidents. The proactive adoption of SBOMS is not only a response to heightened awareness, but a crucial step in securing the software supply chain. This upcoming year, increased emphasis will be placed on preventing and disclosing supply chain threats, as well as an increase in compliance requirements, like US Executive Order 14028, across the globe.
Nick Mistry
SVP, CISO, Lineaje
Industry News
The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, has announced significant momentum around cloud native training and certifications with the addition of three new project-centric certifications and a series of new Platform Engineering-specific certifications:
Red Hat announced the latest version of Red Hat OpenShift AI, its artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across the hybrid cloud.
Salesforce announced agentic lifecycle management tools to automate Agentforce testing, prototype agents in secure Sandbox environments, and transparently manage usage at scale.
OpenText™ unveiled Cloud Editions (CE) 24.4, presenting a suite of transformative advancements in Business Cloud, AI, and Technology to empower the future of AI-driven knowledge work.
Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade developer portal based on the Backstage project.
Pegasystems announced the availability of new AI-driven legacy discovery capabilities in Pega GenAI Blueprint™ to accelerate the daunting task of modernizing legacy systems that hold organizations back.
Tricentis launched enhanced cloud capabilities for its flagship solution, Tricentis Tosca, bringing enterprise-ready end-to-end test automation to the cloud.
Rafay Systems announced new platform advancements that help enterprises and GPU cloud providers deliver developer-friendly consumption workflows for GPU infrastructure.
Apiiro introduced Code-to-Runtime, a new capability using Apiiro’s deep code analysis (DCA) technology to map software architecture and trace all types of software components including APIs, open source software (OSS), and containers to code owners while enriching it with business impact.
Zesty announced the launch of Kompass, its automated Kubernetes optimization platform.
MacStadium announced the launch of Orka Engine, the latest addition to its Orka product line.
Elastic announced its AI ecosystem to help enterprise developers accelerate building and deploying their Retrieval Augmented Generation (RAG) applications.
Red Hat introduced new capabilities and enhancements for Red Hat OpenShift, a hybrid cloud application platform powered by Kubernetes, as well as the technology preview of Red Hat OpenShift Lightspeed.
Traefik Labs announced API Sandbox as a Service to streamline and accelerate mock API development, and Traefik Proxy v3.2.