We’ve been talking about DevSecOps and security left for years. While this approach may not have “crossed the chasm” in 2021, we’ve seen some very notable milestones. Financing venture capital for cyber security Jump to record heights Focusing on DevOps and Cloud Security And the need for DevSecOps became starkly clear with Double Log4j. On a more personal note, our Open Source Security Project Chekhov Over three million downloads.
Much of that momentum was inevitable. Those in the infrastructure and reliability circles have already begun to embrace and promote the benefits of left-shifting and automation as much as possible, so in many ways, security is expected to follow suit. Undoubtedly, the pandemic has also accelerated the need for developers to operate more independently without people and security processes acting as barriers to productivity and speed.
We are confident that 2022 will see a continued breakdown between development and security teams as developer-led security practices become the norm for cloud-native organizations.
DevSecOps finally bridges this gap does not mean that every institution and traditional organization will shift security to the left and adopt security best practices. However, it will give them competitive advantages over those who do not – both in lower security costs, increased developer productivity, and, in turn, time to market.
What else do you have in store for the future of DevSecOps?
High DevSecOps Job Title
Less than 5,000 people on LinkedIn currently have “DevSecOps” in the job title, however there are currently over 20,000 vacancies for DevSecOps roles. In 2022, expect more of these jobs to be filled. This means that security teams across industries will perform fewer manual security audits, there will be a large influx of on-premises DevSecOps tools and point solutions will likely begin to integrate into single platforms.
Blurred lines between application security and infrastructure
Until recently, application security was a well-defined (albeit cracked) space focused on securing custom code and the open source packages that make up applications. However, with the rapid adoption of cloud-native applications, the lines between application and infrastructure security are becoming blurred. We expect to see this trend continue as more engineers take on more infrastructure-related projects, vendors start making requests to use cases outside of their core competencies (through acquisitions and in-house development) and DevSecOps’ role continues to expand within organizations.
Infrastructure as Code: The Next Chapter of the Great Cloud Migration
We’ve been talking about the big migration to the cloud for years. At this point, many companies are ready to move on to the next chapter: Infrastructure as Code (IaC). As a result of this trend, DevSecOps will become even more important, as security needs to prepare early in the development stages or risk being left behind. Additionally, security teams will need to become more familiar with development techniques and practices to provide appropriate direction for the new way applications are created and deployed.
More software supply chain attacks
Hackers have been targeting retailers and security vendors for years, taking advantage of a minor vulnerability to gain access to it and go sideways to sensitive data. However, in the past year, software supply chain attacks rose to the spotlight due to the largest software supply chain attack in history on SolarWinds. We expect this trend to continue, which in turn will focus more on securing supply chains. DevSecOps, which focused mostly on tools and practices for securing code and infrastructure, will expand to supply chain automation.
If 2021 is the year of publicity for DevSecOps, we believe (and hope) that best practices will be adopted. Much across industries. The benefits of left-shift locking are well documented: the number of high-risk incidents is significantly reduced, the potential attack surface is minimized, compliance efforts are simplified and repair time is reduced. Organizations also save money by detecting misconfigurations and vulnerabilities early in the software development lifecycle while at the same time rolling back time with tools, both open source and commercial, that enable developers to move quickly and create more secure and reliable applications.