DEVOPSdigest

DEVOPSdigest asked DevOps experts for their predictions on how DevSecOps and security-related technologies will evolve and impact DevOps and business in 2019. This is Part 2.

Start with 2019 DevSecOps Predictions - Part 1

APM SUPPORTS DEVSECOPS

Reaching the level of organizational maturity at which DevSecOps teams can function most efficiently and effectively requires siloes of work to be broken down across the organization to foster a culture of collaboration and continuous communication. In 2019 we'll see growing demand for intelligent services that can offer the visibility, insight and common situational awareness that can help to achieve this kind of culture, freeing up the potential of DevSecOps, and affording organizations a greater opportunity for innovation. To establish effective common situational awareness and feedback loop between Dev, Sec, Ops, QA and management teams, the APM would need to collect telemetry and analyze dependencies across the entire stack, including datalink, network, transport, session and application layers. Once application performance and its dependencies on the delivery infrastructure are analyzed, it would be possible to provide actionable intelligence that would enable DevSecOps to collaborate effectively and establish common situational awareness throughout the different stages of the continuous delivery and deployment pipelines.
Michael Segal
Area VP, Strategy, NetScout(link is external)

MACHINE LEARNING SUPPORTS DEVSECOPS

DevSecOps has historically been viewed as both an art and a science, but we'll see the latter discipline take a more prominent role in 2019. As machine learning and risk engines evolve, they will finally be able to provide companies with valuable security data. This will allow organizations to embed security into all aspects of the software development lifecycle — something that, until now, has been an unattainable goal.
Andrew Useckas
CTO, Threat X(link is external)

AI AND ML DO NOT HELP SECURITY

I don't think that AI/ML get us very far in security. For threats we understand, like SQL Injection for example, we are better off using strong detection and prevention technologies where we have confidence in exactly what is being checked. For threats we don't understand, AI/ML also don't get us anywhere. We need data to train the models that simply doesn't exist for novel threats. There are some corner cases where AI/ML can be very useful, but it's not going to fundamentally change security.
Jeff Williams
Co-Founder and CTO, Contrast Security(link is external)

SECURITY DATA SCIENTIST ROLE EMERGES

As AI and ML become mainstream, a new breed of security data scientists will emerge in 2019. AI and ML techniques are data dependent. Preparing, processing, and interpreting data require data scientists to be polymath. They need to know computer science, data science, and above all, need to have domain expertise to be able to tell bad data from good data and bad results from good results. What we have already begun seeing is the need for security experts who understand data science and computer science to be able to first make sense of the security data available to us today. Once this data is prepared, processed and interpreted, it can then be used by AI and ML techniques to automate security in real time.
Setu Kulkarni
VP of Corporate Strategy, WhiteHat Security(link is external)

CONTINUED APPLICATION LAYER ATTACKS

We'll continue to see application layer attacks, on both custom code vulnerabilities and on vulnerabilities in open source libraries and frameworks.
Jeff Williams
Co-Founder and CTO, Contrast Security(link is external)

CLOUD SECURITY RISK INCREASES

Regarding security in the cloud, history is likely to repeat itself, and as the move to the cloud continues, we'll inevitably see organizations spin up openly accessible servers and data in the cloud. This risk cannot be remediated with traditional security processes that are incompatible with DevOps CI/CD processes.
Reuven Harrison
CTO and Co-founder, Tufin(link is external)

We'll see increasing attacks on misconfigured cloud environments. Organizations have been slow about ensuring that every cloud deployment is fully automated and continuously monitored.
Jeff Williams
Co-Founder and CTO, Contrast Security(link is external)

CLOUD NATIVE CREATES NEW RISKS

New security risks will arise as the result of the complexity and immaturity of cloud-native environments. Cloud-native environments are inherently more secure when built and used properly. But the influx of the new technologies, tools, and knowledge to handle the extensive configuration of these systems is largely is unfamiliar to many DevOps and security teams. In 2019, these teams must figure out what proper configurations look like and how to get up to scale security quickly to hedge against risks and external threats.
Kamal Shah
CEO, StackRox(link is external)

FOCUS ON CLOUD NATIVE SECURITY

In 2019, we'll see more emphasis on security in cloud native organizations. Many are talking about it; this will be the year that they take action. To do this, there will be an emphasis on automation. There's no way that DevOps teams can get security into their environments without automation. To secure cloud-native environments, you must approach it from an automation-first perspective.
Reuven Harrison
CTO and Co-founder, Tufin(link is external)

KUBERNETES SECURITY BECOMES ESSENTIAL

Kubernetes security will be even more critical to the holistic security of containerized environments.
Kubernetes is the orchestrator of choice for most container deployments and is central to effective container security. Kubernetes-related misconfigurations can expose organizations to significant risk if not set up properly. Moreover, the greater adoption of Kubernetes means more frequent targeting by attackers. The focus on Kubernetes over the next year has to turn from adoption to protection and hardening. Strong Kubernetes security is essential to protect containerized applications effectively.
Kamal Shah
CEO, StackRox(link is external)

SOLVING SECURITY COMPLIANCE WITH DEVOPS

Innovation spurs security compliance resolution: The networking community will need to solve the issues of security compliance within DevOps. Security compliance is about making sure policies are not only followed but also ensuring local authentication credentials are rotated on a set schedule, keeping the operating system patched, and validating that improper access is not available at a service or application level. By adopting a more innovative, microservices-based approach to DevOps, the networking communications can help ensure that security compliance is top of mind for operators.
Glenn Sullivan
Co-Founder, SnapRoute(link is external)

OPEN SOURCE DRIVES CODE QUALITY AND SECURITY

Code quality will be tied to security, and open source will be a driver. Developers have long realized that open source logically can make code more secure, simply because more people are analyzing the code. Some of the world's largest conglomerates rely on open source for security. For example, Microsoft's acquisition of GitHub this year portended its status as the world's largest contributor to open source projects on GitHub, a strong indicator that the world's most influential companies value code quality. This critical mass will take hold in 2019, and more companies will embrace open source to improve quality of their code.
Albert Ziegler
Data Scientist, Semmle(link is external)

FOCUS ON THIRD-PARTY API SECURITY

In 2019, companies will start to become sensitive to their developers' use of calls out to third-party APIs. It's a blind spot in the vast majority of IT organizations, similar to the way that open source was ten years ago. Most companies understand the importance of ensuring that the APIs they publish are secure from outside attack, but few are even tracking their own code's use of web services via calls to third-party APIs from the inside out. Although there are other legal and business risks that come with reliance on third-party services, the visibility will likely arise from companies having to account for confidential data they are inadvertently passing to unknown and untrusted sources outside their firewalls.
Phil Odence
GM of Black Duck On-Demand, Synopsys(link is external)

IDENTITIES BECOME THE NEW SECURITY PERIMETER

Identities will become the new security perimeter: In 2019, the big cloud providers will start to realize that most enterprises are not going to migrate 100% of their applications to public cloud and will focus on delivering solutions that provide a seamless hybrid cloud experience. This will further blur the definition of the security perimeter, effectively making "identities" the new perimeter. Couple this paradigm shift with the unprecedented levels of automation that give identities vast power and enterprises will begin to rethink their approach to managing identity privileges across clouds. Enterprises will move away from depending on static role-based access controls (RBAC) to manage identity privileges and will start to turn to more dynamic authorization models (like activity-based controls) to achieve the principal of least principal.
Balaji Parimi
CEO, CloudKnox Security(link is external)

SECURITY IN 2019: NO PROGRESS?

Expect a giant leap for the security industry — not quite. I would be thrilled if this was the year that the security industry buckled down and started to focus on basic blocking and tackling — generating real assurance around the most likely and dangerous attacks. But probably it will be another year of knee jerk reactions and point solutions.
Jeff Williams
Co-Founder and CTO, Contrast Security(link is external)