2019 DevSecOps Predictions - Part 2
January 29, 2019

DEVOPSdigest asked DevOps experts for their predictions on how DevSecOps and security-related technologies will evolve and impact DevOps and business in 2019. This is Part 2.

Start with 2019 DevSecOps Predictions - Part 1

APM SUPPORTS DEVSECOPS

Reaching the level of organizational maturity at which DevSecOps teams can function most efficiently and effectively requires siloes of work to be broken down across the organization to foster a culture of collaboration and continuous communication. In 2019 we'll see growing demand for intelligent services that can offer the visibility, insight and common situational awareness that can help to achieve this kind of culture, freeing up the potential of DevSecOps, and affording organizations a greater opportunity for innovation. To establish effective common situational awareness and feedback loop between Dev, Sec, Ops, QA and management teams, the APM would need to collect telemetry and analyze dependencies across the entire stack, including datalink, network, transport, session and application layers. Once application performance and its dependencies on the delivery infrastructure are analyzed, it would be possible to provide actionable intelligence that would enable DevSecOps to collaborate effectively and establish common situational awareness throughout the different stages of the continuous delivery and deployment pipelines.
Michael Segal
Area VP, Strategy, NetScout

MACHINE LEARNING SUPPORTS DEVSECOPS

DevSecOps has historically been viewed as both an art and a science, but we'll see the latter discipline take a more prominent role in 2019. As machine learning and risk engines evolve, they will finally be able to provide companies with valuable security data. This will allow organizations to embed security into all aspects of the software development lifecycle — something that, until now, has been an unattainable goal.
Andrew Useckas
CTO, Threat X

AI AND ML DO NOT HELP SECURITY

I don't think that AI/ML get us very far in security. For threats we understand, like SQL Injection for example, we are better off using strong detection and prevention technologies where we have confidence in exactly what is being checked. For threats we don't understand, AI/ML also don't get us anywhere. We need data to train the models that simply doesn't exist for novel threats. There are some corner cases where AI/ML can be very useful, but it's not going to fundamentally change security.
Jeff Williams
Co-Founder and CTO, Contrast Security

SECURITY DATA SCIENTIST ROLE EMERGES

As AI and ML become mainstream, a new breed of security data scientists will emerge in 2019. AI and ML techniques are data dependent. Preparing, processing, and interpreting data require data scientists to be polymath. They need to know computer science, data science, and above all, need to have domain expertise to be able to tell bad data from good data and bad results from good results. What we have already begun seeing is the need for security experts who understand data science and computer science to be able to first make sense of the security data available to us today. Once this data is prepared, processed and interpreted, it can then be used by AI and ML techniques to automate security in real time.
Setu Kulkarni
VP of Corporate Strategy, WhiteHat Security

CONTINUED APPLICATION LAYER ATTACKS

We'll continue to see application layer attacks, on both custom code vulnerabilities and on vulnerabilities in open source libraries and frameworks.
Jeff Williams
Co-Founder and CTO, Contrast Security

CLOUD SECURITY RISK INCREASES

Regarding security in the cloud, history is likely to repeat itself, and as the move to the cloud continues, we'll inevitably see organizations spin up openly accessible servers and data in the cloud. This risk cannot be remediated with traditional security processes that are incompatible with DevOps CI/CD processes.
Reuven Harrison
CTO and Co-founder, Tufin

We'll see increasing attacks on misconfigured cloud environments. Organizations have been slow about ensuring that every cloud deployment is fully automated and continuously monitored.
Jeff Williams
Co-Founder and CTO, Contrast Security

CLOUD NATIVE CREATES NEW RISKS

New security risks will arise as the result of the complexity and immaturity of cloud-native environments. Cloud-native environments are inherently more secure when built and used properly. But the influx of the new technologies, tools, and knowledge to handle the extensive configuration of these systems is largely is unfamiliar to many DevOps and security teams. In 2019, these teams must figure out what proper configurations look like and how to get up to scale security quickly to hedge against risks and external threats.
Kamal Shah
CEO, StackRox

FOCUS ON CLOUD NATIVE SECURITY

In 2019, we'll see more emphasis on security in cloud native organizations. Many are talking about it; this will be the year that they take action. To do this, there will be an emphasis on automation. There's no way that DevOps teams can get security into their environments without automation. To secure cloud-native environments, you must approach it from an automation-first perspective.
Reuven Harrison
CTO and Co-founder, Tufin

KUBERNETES SECURITY BECOMES ESSENTIAL

Kubernetes security will be even more critical to the holistic security of containerized environments.
Kubernetes is the orchestrator of choice for most container deployments and is central to effective container security. Kubernetes-related misconfigurations can expose organizations to significant risk if not set up properly. Moreover, the greater adoption of Kubernetes means more frequent targeting by attackers. The focus on Kubernetes over the next year has to turn from adoption to protection and hardening. Strong Kubernetes security is essential to protect containerized applications effectively.
Kamal Shah
CEO, StackRox

SOLVING SECURITY COMPLIANCE WITH DEVOPS

Innovation spurs security compliance resolution: The networking community will need to solve the issues of security compliance within DevOps. Security compliance is about making sure policies are not only followed but also ensuring local authentication credentials are rotated on a set schedule, keeping the operating system patched, and validating that improper access is not available at a service or application level. By adopting a more innovative, microservices-based approach to DevOps, the networking communications can help ensure that security compliance is top of mind for operators.
Glenn Sullivan
Co-Founder, SnapRoute

OPEN SOURCE DRIVES CODE QUALITY AND SECURITY

Code quality will be tied to security, and open source will be a driver. Developers have long realized that open source logically can make code more secure, simply because more people are analyzing the code. Some of the world's largest conglomerates rely on open source for security. For example, Microsoft's acquisition of GitHub this year portended its status as the world's largest contributor to open source projects on GitHub, a strong indicator that the world's most influential companies value code quality. This critical mass will take hold in 2019, and more companies will embrace open source to improve quality of their code.
Albert Ziegler
Data Scientist, Semmle

FOCUS ON THIRD-PARTY API SECURITY

In 2019, companies will start to become sensitive to their developers' use of calls out to third-party APIs. It's a blind spot in the vast majority of IT organizations, similar to the way that open source was ten years ago. Most companies understand the importance of ensuring that the APIs they publish are secure from outside attack, but few are even tracking their own code's use of web services via calls to third-party APIs from the inside out. Although there are other legal and business risks that come with reliance on third-party services, the visibility will likely arise from companies having to account for confidential data they are inadvertently passing to unknown and untrusted sources outside their firewalls.
Phil Odence
GM of Black Duck On-Demand, Synopsys

IDENTITIES BECOME THE NEW SECURITY PERIMETER

Identities will become the new security perimeter: In 2019, the big cloud providers will start to realize that most enterprises are not going to migrate 100% of their applications to public cloud and will focus on delivering solutions that provide a seamless hybrid cloud experience. This will further blur the definition of the security perimeter, effectively making "identities" the new perimeter. Couple this paradigm shift with the unprecedented levels of automation that give identities vast power and enterprises will begin to rethink their approach to managing identity privileges across clouds. Enterprises will move away from depending on static role-based access controls (RBAC) to manage identity privileges and will start to turn to more dynamic authorization models (like activity-based controls) to achieve the principal of least principal.
Balaji Parimi
CEO, CloudKnox Security

SECURITY IN 2019: NO PROGRESS?

Expect a giant leap for the security industry — not quite. I would be thrilled if this was the year that the security industry buckled down and started to focus on basic blocking and tackling — generating real assurance around the most likely and dangerous attacks. But probably it will be another year of knee jerk reactions and point solutions.
Jeff Williams
Co-Founder and CTO, Contrast Security

Share this

Industry News

November 21, 2024

Red Hat announced the general availability of Red Hat Enterprise Linux 9.5, the latest version of the enterprise Linux platform.

November 21, 2024

Securiti announced a new solution - Security for AI Copilots in SaaS apps.

November 20, 2024

Spectro Cloud completed a $75 million Series C funding round led by Growth Equity at Goldman Sachs Alternatives with participation from existing Spectro Cloud investors.

November 20, 2024

The Cloud Native Computing Foundation® (CNCF®), which builds sustainable ecosystems for cloud native software, has announced significant momentum around cloud native training and certifications with the addition of three new project-centric certifications and a series of new Platform Engineering-specific certifications:

November 20, 2024

Red Hat announced the latest version of Red Hat OpenShift AI, its artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across the hybrid cloud.

November 20, 2024

Salesforce announced agentic lifecycle management tools to automate Agentforce testing, prototype agents in secure Sandbox environments, and transparently manage usage at scale.

November 19, 2024

OpenText™ unveiled Cloud Editions (CE) 24.4, presenting a suite of transformative advancements in Business Cloud, AI, and Technology to empower the future of AI-driven knowledge work.

November 19, 2024

Red Hat announced new capabilities and enhancements for Red Hat Developer Hub, Red Hat’s enterprise-grade developer portal based on the Backstage project.

November 19, 2024

Pegasystems announced the availability of new AI-driven legacy discovery capabilities in Pega GenAI Blueprint™ to accelerate the daunting task of modernizing legacy systems that hold organizations back.

November 19, 2024

Tricentis launched enhanced cloud capabilities for its flagship solution, Tricentis Tosca, bringing enterprise-ready end-to-end test automation to the cloud.

November 19, 2024

Rafay Systems announced new platform advancements that help enterprises and GPU cloud providers deliver developer-friendly consumption workflows for GPU infrastructure.

November 19, 2024

Apiiro introduced Code-to-Runtime, a new capability using Apiiro’s deep code analysis (DCA) technology to map software architecture and trace all types of software components including APIs, open source software (OSS), and containers to code owners while enriching it with business impact.

November 19, 2024

Zesty announced the launch of Kompass, its automated Kubernetes optimization platform.

November 18, 2024

MacStadium announced the launch of Orka Engine, the latest addition to its Orka product line.