Organizational adoption and alignment, security of the software development pipeline, automation, and AI/ML.
I wrote The Future of DevSecOps in June 2019 after gathering insights from IT professionals who foresaw 1) greater adoption, 2) security being ingrained in development, and, 3) AI/ML-driven automation.
For this article, I’m sharing what IT professionals now see as the potential for DevSecOps. I previously shared how these IT professionals have seen the recent evolution of DevSecOps, as well.
I received input from more than 40 IT professionals. Based on their feedback, the greatest opportunities for DevSecOps are 1) alignment of organizations, 2) security of the software pipeline, 3) automation, and, 4) AI/ML.
Alignment Drives DevSecOps
The biggest opportunity comes with the addition of “biz.” In a recent article for DZone, I described how BizDevSecOps is the evolution of DevSecOps, and in many ways, this reality is already here. When developing an application, user experience needs to be a top priority as end users are among the most important stakeholders. This is especially true now when the primary way for a customer to interact with a business is through their digital services. Business teams now have user experience top-of-mind because it drives customer satisfaction and that is a key contributor to revenue. By breaking down silos and incorporating their input into overall DevSecOps, teams can create better-performing and more seamless and secure applications.
There is an incredible opportunity for traditional IT organizations to align to the DevSecOps practices today as well as work to modernize legacy platforms. This is important in a post-COVID world as organizations scale and change as the world sets itself on the next normal mode of behavior. Having obsolete platforms and applications does not align to the agility requirements of today, much less tomorrow.
Better integration of purpose-built toolings for development, monitoring, threat visibility, and protection throughout the entire pipeline and at runtime. Security automation and real-time protection are the key criteria for ensuring the success of the DevSecOps movement.
There is a real opportunity for a BizDevSecOps approach to application security to form a new focus for digital transformation. Traditional app security models are buckling under the pressure of dynamic cloud-native environments and applications like Kubernetes, mobile, and serverless. The monitoring tools most organizations deploy to catch vulnerabilities create blind spots and bottlenecks that are only growing. This problem is made worse by siloed teams, manual processes, and outdated approaches that leave vulnerabilities missed in preproduction and production environments. In fact, 93% of CIOs say IT’s ability to maximize value for the business is hindered by challenges like siloed IT and business teams. However, when developers collaborate with ops, or ops with business teams, or the business with developers, everyone can quickly get on the same page, drawing data from a single source of truth.
Alignment of both organizations and architectures. Organizationally security is aligning with the most technical outcomes with developers and more business-driven outcomes with CISO’s. DevSecOps sits in the middle and plays a big role in bridging the gap.
I believe the biggest opportunity now is being able to actually tie all these DevSecOps requirements, risks, and opportunities into a broader workflow within the organization. Microservices architecture introduces a lot of moving parts. Today, most of these parts are managed as isolated requirements or items. At scale, that makes it really hard to manage, monitor, and secure. I expect to see a tighter workflow between DevOps, DevSecOps, and the overall infrastructure team as part of the continued evolution.
Secure Software Development Drives DevSecOps
There will be an increased focus on the security of the software pipeline itself, as it is a core part of the software supply chain. You may be doing all the right things to your software, but you also need to make sure all the right things are happening in your software delivery pipelines, and that you have control over the security of those pipelines.
Most organizations are just getting started with DevSecOps, so there are a ton of opportunities. Focusing on fast and highly accurate Appsec tools for security testing and open source library analysis is a good place to start. Maturing and expanding threat modeling, standard defenses, Appsec training, and champions program are also strong moves. One key opportunity is the “SecOps” piece of DevSecOps. Most organizations don’t have visibility into who is attacking them, what attacks they’re using, and which systems they are targeting. This is critical threat intelligence that can both help operations protect the application layer and feedback into the development team. This feedback loop is a great way to build the culture of security innovation and learning that’s at the core of DevSecOps. Supply chain security has also become critical for every organization. DevSecOps must expand its scope to cover these challenges. There are three parts of the software supply chain to secure.
Your custom code whether developed by staff, consultants, or outsourced. We are pretty bad at this as 20 years of Appsec haven’t moved the needle. Look at IAST and RASP to enhance traditional SAST/DAST/WAF. Note that ordinary Appsec typically only looks for inadvertent mistakes, not malicious code.
Your third-party code, whether OSS or commercial components. We are also very weak here because with current SCA tools we can’t even stop using libraries with *known* vulns much less deliberately malicious code. RASP can help prevent zero-day library vulns from being exploited.
All the software you use in your software factory: IDEs, build tools, test tools, etc. Little emphasis here currently by defenders. Developer environments are often wide open. An attack here can do anything a malicious developer could do.
All 3 kinds of code in the supply chain are potentially a SolarWinds type debacle. Attackers, who have historically focused on (1) have started probing (2) and (3) in recent years. We have a lot of work to do to ensure the integrity of the software supply chain. Other industries (electronics, aviation, pharma, etc...) are decades ahead.
Deepak Kumar, CEO and founder of Adaptiva:
The greatest opportunities lie in improving the CI/CD (continuous integration/continuous development) pipeline with improved security and tools to help validate third-party code as well as the natively developed code is. Increasing scrutiny on this so-called “shadow code” necessarily improves security, and these additional processes, if implemented properly, can help prevent similar supply-chain attacks in the future.
Automation Drives DevSecOps
More than ever, teams can develop and deploy confidently in the knowledge that they're meeting corporate security standards. As we see it, the next frontier is the extension of this principle – unlocking team innovation through automation – to the realm of integrations, particularly monolithic core systems, which tend to be the last bastion of centralized IT control.
Automation enables DevSecOps to monitor an attack surface that is increasingly widespread, and almost impossible to monitor without automation technology. This will help prevent organizations from succumbing to cyberattacks with financial and reputational repercussions, while also reducing the risk of non-compliance within regulated industries.
Hyper Automation will continue apace with AIOps, but there is a crucial need to “Trust, but (cryptographically) Verify” the data sets being ingested as part of an overall ML Governance strategy. Privacy and regulatory compliance will increasingly be automated, and attestations require the ability to reproduce the state of code and data going back in increasingly lengthier timeframes.
AI/ML Drives DevSecOps
DevSecOps needs to integrate Artificial Intelligence engines for deeper scanning for malicious code into either the build or ship (registry scanning) phase. Just looking for CVEs is a commodity and does not protect against the biggest issue: all the big attacks of 2021 went after unknown CVEs. It is critical to look for malicious code in addition to CVEs.
New approaches to detecting malicious code with very high efficacy and speed are now commercially available. These can be integrated into either the build phase or the ship phase to scan all code that is being put into production. Deep Learning can provide fast verdicts in milliseconds (similar to how self-driving cars make decisions in milliseconds to drive) at scale so that thousands of containers can be deep scanned per day for supply chain and other attack vectors.
Thanks also, to the following for sharing their insights for this article: