The Future of DevSecOps

To understand the current and future state of DevSecOps, we gathered insights from 29 IT professionals in 27 companies. We asked them, "What’s the future of DevSecOps from your perspective, where do the greatest opportunities lie?" Here's what they told us:

Adoption

• A lot more that can be done. The stuff you code and build is where you see most of the advancing of embedding into your CI/CD pipeline. As the world moves toward being more API-driven with different cloud environments, we will think about how to embed a security angle to all of these things regardless of how the platform builds out. It’s a workflow with people involved. The more you do, the more secure you can make it. You will never be fully there with any security. There is always something new coming up. The time to react is super critical. Use the tools, get your culture and stay abreast of changes.
• In five to seven years, it will just be the standard way you do DevOps.
• Given that we are in the middle of evolutionary leap forward it creates a lot of opportunities to automate practices and a new platform of container-based technologies with frameworks that fit on top of K8s. Any tech stack bolted on top of K8s creates opportunity and challenge. How can security teams stay ahead of the curve as technology is evolving? Become familiar, understand risk, and get team understanding before diving into alpha trials of new technology.
• Currently, the focus of DevSecOps is implementing security and risk management protocols into development workflows to ensure code is secure and compliant as early as possible in the development process, and that released code meets the highest possible standards for security and privacy. This is still an integration between current security practices and the DevOps culture of development. In the future, I think — or at least I hope! — that security organizations will come to appreciate the high-visibility and high-collaboration shared-code culture of DevOps and bring that approach into their security practices wholeheartedly, borrowing the iterative and open methods that have served development so well. The open source movement has taught us that many eyes on code make for stronger code, and the same will surely prove itself true for security tests and other code security automation.
• 1) We will continue to see security shifting further left in the future with an increasing number of security and compliance controls getting embedded earlier into the DevOps lifecycle. There will also be a lot more conversation and emphasis around the security of the DevSecOps pipeline in and of itself as an important risk surface. 2) The greatest opportunity, however, lies in successful DevSecOps implementations requiring reduced security friction and hence serving as a catalyst for innovation in existing security tools, enabling them to generate more accurate and relevant insight or actions. 3) As of now, most of the focus is rightly on code and products being developed for customers. However, there’s a significant opportunity for organizations to adopt a DevSecOps approach to other technology areas like internal IT environments. The same DevSecOps efficiencies can be harvested to ensure secure internal IT environments.
• Protection across the data lifecycle and across security disciplines (e.g. access control, data protection, etc.). DevOps will spread across every facet of the digital transformation and consume data in all forms. Protecting throughout these various environments will be challenging and present plenty of opportunities.
• I like the general direction that DevSecOps is taking in the service-provider world. The closer we integrate the various engineering disciplines, the better. However, the biggest thing I can still see is change management. Changes are fast and frequent, and in enterprises, that is often not a good thing. It comes down to the risk appetite of an organization of what they are willing to move to the DevSecOps model.
• I anticipate that over the next 18 months the percentage of organizations that move to DevSecOps will increase significantly. The main drivers will range from risk and compliance-driven initiatives to digital transformations, cloud migrations, and a desire to build secure offerings for customers at a time when data breaches make headlines on a regular basis.

Security Is Ingrained

• People in their pipelines are still fairly immature. They’ve incorporated SonarQube and think they’re good. Security will have more influence as it integrates with the product team. More metrics to drive efficiency. What is the code coverage of the security scanners? Are we incorporating other malware scanners? How many threats have been fixed? We’re just starting to look at the metrics of DevSecOps to determine what the metrics look like.
• DevOps and DevSecOps will just merge. Share the same philosophies. Also the opposite problem of people dismissing as a fad.
• I believe we’ll see DevOps shift to become DevSecOps at an increased pace, driven by enterprises’ need to implement application security that encompasses the build-ship-run lifecycle from start to finish. It’s now clear to enterprises that image scanning and host security alone fail to safeguard applications from the threat of devastating zero-day exploits. Containerized environments make the need for DevSecOps and security across the full application lifecycle especially crucial, due to the facts that enterprises now utilize containers in production, and that automated, specialized container network security is required to thwart attacks upon these highly dynamic environments.
• The future is providing enough incentive for everybody to want to do it. The organizations really good at security right now prioritize it from the top. They might do that because they feel security differentiates them from their competition. They might do it because a few people really care about it and know it’s the right thing to do. We need to make secure by default easier. It’s too easy to move security priorities below the fold and move on. If doing things insecurely becomes more difficult than accomplishing the same things, but with security woven the whole way through, this movement has worked.
• Automation — Even basic automation of building infrastructure and auditing security configurations is a huge benefit at a small cost. Education — Getting teams past merely reciting “security is everyone’s responsibility” to where they understand the importance of security to the company’s bottom line motivates the inclusion of security throughout the development process.
• We will see further growth in this space as more companies start adopting DevOps and moving to public clouds. DevSecOps will go hand-in-hand with DevOps innovations and adoption.
• Have developers and operations taking more responsibility for security. DevSecOps takes on the bulk of the work and distributed throughout as more people are aware of security. More people will be trained on security in dev and operations.
• Security has to get baked into DevOps. It will take more failure and breaches before people take it seriously.
• As the industry continues to move towards microservice and serverless architectures, an organization’s overall attack surface will exponentially increase. Business leaders will come to view DevSecOps as a fundamental requirement to operate in the digital world. Successful DevSecOps implementations will detect and address potential security threats at greater speed and with less human intervention.
• DevOps is shifting quickly toward desired-state models of configuration. Developers say what the state of the world should be; the system converges the actual state to the desired state, e.g. Kubernetes, Terraform, etc. The introduction of desired-state gives DevSecOps unprecedented opportunity to impose regulations/best-practices as guardrails to that desired state – effectively stopping security, operations, and compliance problems before they exist.

AI/ML

• Automation is key. We interviewed 450 IT ops professionals about how to meet the needs of their business. 31% are stretched too thin because not enough people to do it all. Automating workflows, testing, and development is the answer. Streamline processes with automation. Use AI-driven applications and ML to improve DevOps. Use AI and ML to know where to focus time for vulnerability management.
• The greatest opportunities lie in creating mature solutions that ensure automated security checks of both applications and infrastructure in the DevSecOps pipeline, accelerating the overall pipeline, and reducing the false positives. Also, implementing AI-based solutions to predict and identify patterns to unearth security vulnerabilities before they are found by hackers is a key opportunity that companies should focus their energies on.
• The term "DevSecOps" will probably go away soon. This is not to say that security will disappear; rather, it is that security will become such a fundamental part of software delivery that a separate name for "DevOps with security" will no longer be necessary. As we get better at embedding security into our software up-front, customers and users will be exposed to fewer risks, and their level of trust will go up. Artificial Intelligence (AI) is becoming more prevalent in the security domain for threat detection, biometric logins, and threat response, and is likely to become part of DevSecOps in the near future, reducing the time necessary for testing while increasing efficiency.

Other

• Similar to NoOps, it just needs a flashing light to say pass or fail and reduce the burden on teams.
• We are getting into an era where we have the ability to trust data and code, so we do not have to trust other people and parties. This makes partnerships easier. It’s easier to share information. New business models will come from it.
• In the enterprise space, a lot are doing IaaS in the cloud. Seeing a lot of PaaS. You eliminate the infrastructure security piece. Focus time and resources on code quality and writing secure code. There’s a lot of technical debt in infrastructure. Most teams are unable to write secure code.
• There will be a convergence of compliance, risk, and the SDLC. That means DevOps teams need to have some baseline understanding of compliance and risk. Auditors and risk managers need to become more technical. The greatest opportunities lie not only in cross-functional teams, but in cross-functional business units (IT, Security, and Risk). The discussions will shift from application architecture to business architecture in order to provide value to the business.
• It’s all about having a common platform, consistency in operations, eliminating black boxes and one-off implementations. K8s is a layer of protection regardless of where you deploy. Bring security practices up to developers and into CI/CD testing, production, and pre-production.

Here's who provided their insights:

• Anne Baker, V.P. of Product Management and Marketing, Adaptiva
• Steven Aiello, Solutions Principal, AHEAD
• Gadi Naor, Co-founder and CTO, Alcide
• Mike Stahnke, VP of Platform, CircleCI
• Brian Nash, Director of Product Marketing, and Brian Dawson, DevOps Evangelist, CloudBees
• Michael Rose, Vice President of Engineering, Cybera
• Doug Dooley, COO, Data Theorem
• OJ Ngo, CTO and Co-Founder, DH2i
• Kris Lahiri, Co-founder, Egnyte
• Brian Platz, Co-founder and Co-chairman, Fluree
• Javed Shah, Director of Product Management for Cloud and DevOps, ForgeRock
• Malcolm Isaacs, Senior Solutions Manager, Application Delivery Management, Micro Focus
• Gary Duan, CTO, NeuVector
• Yogesh Badwe, Director of Information Security, Okta
• Franklin Mosley, Senior Application Security Engineer/Evangelist, PagerDuty
• David Strauss, CTO and Co-founder, Pantheon
• Jeff Keyes, Director of Product Marketing, Plutora
  
• Vishnu Nallani, VP & Head of Innovation, Qentelli
• Sheng Liang, Co-founder and CEO, and Shannon Williams, Co-founder and VP Sales & Marketing, Rancher Labs
• Gene Yoo, CEO, Resecurity
• Altaz Valani, Research Director, SecurityCompass
• Jim Hansen, V.P. Products, SolarWinds
• Colby Dyess, Director of Cloud Marketing, Tufin
• Tim Hinrichs, CTO and co-founder, Styra
• Joseph Feiman, CSO, WhiteHat Security
• Andrei  Bezdedeanu, VP of Engineering, ZeroNorth
• Tim Reilly, COO and CFO, Zettaset