2024 DevSecOps Predictions – Part 1

AI 3周前 admin
7 0 0

DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact development and application security in 2024.


2024 DevSecOps Predictions - Part 1

Taking a step back from Shift Left Awakening: We will see a reversal in the “Shift Left” model, emphasizing the importance of strong security teams creating policies. Integration into CI (DevOps) pipelines will be streamlined, striking a balance between efficiency and security. The focus will be on empowering developers with effective security tools rather than overwhelming them with too many, ensuring a more efficient and secure development process.

Shahar Man 沙哈尔人
Co-Founder & CEO, Backslash Security(link is external)
Backslash Security联合创始人兼首席执行官


Chris Steffen, VP of Research covering Information Security, Risk, and Compliance Management at Enterprise Management Associates (EMA), and Ken Buckler, Research Analyst covering Information Security at EMA, make 2024 cybersecurity predictions on the Cybersecurity Awesomeness Podcast.
Enterprise Management Associates(EMA)负责信息安全、风险和合规管理的研究副总裁Chris Steffen和EMA负责信息安全的研究分析师Ken Buckler在Cybersecurity Awesomeness Podcast上对2024年的网络安全进行了预测。

Click here for a direct MP3 download of Episode 41
(link is external)


In 2024, containers and microservices will not just support but will define DevOps practices, solidifying their position at the core of DevSecOps. This evolution will ensure that security is an integral part of the development pipeline, with containers providing a standardized, secure environment and microservices enabling targeted, swift security updates. This framework empowers organizations to build, deploy, and manage applications with agility, without compromising on security. As a result, the essence of DevSecOps — continuous security at speed — becomes the standard operating procedure for development teams.

Keith Cunningham 基思·坎宁安
VP of Strategy, Sylabs(link is external) 战略副总裁,Sylabs

As DevOps tools rise in popularity, they will be a prime target for hackers. This will drive the shift towards DevSecOps to ensure that security is not a final checkpoint but a continual process, embedded from initial design to deployment and maintenance.

Guillaume Moigneu 纪尧姆·穆瓦涅
VP Product, Growth and Monetization, Platform.sh(link is external)

I predict that 2024 will be the year in which even conservative industries, such as Automotive and MedTech, will embrace DevSecOps with bug and vulnerability detection during development. As these industries are moving to software-defined everything (SDx), even vehicles, that are constantly connected via APIs and push over-the-air software updates, the logical response is to adopt the same DevSecOps mode as cloud-native computing.

Sergej Dechand 谢尔盖·德钱德
CEO and Co-Founder, Code Intelligence(link is external)
Code Intelligence首席执行官兼联合创始人


In a DevSecOps 2.0 world, Cyber teams will (be forced to) adopt developer best practices and be responsible to build, test, release and monitor mobile app security. Using a DevSecOps 2.0 approach, app makers can use mobile application defense automation in the CI/CD pipeline to shift the burden and responsibility for delivering the needed protections from the development team to the cyber team. This way the cybersecurity team can use the same developer best practices to build, test, release and monitor the protection model in the mobile apps on its own, as an equal and independent part of the DevSecOps process.
在DevSecOps 2.0世界中,网络团队将(被迫)采用开发人员最佳实践,并负责构建、测试、发布和监控移动的应用程序安全。使用DevSecOps 2.0方法,应用程序制造商可以在CI/CD管道中使用移动的应用程序防御自动化,将提供所需保护的负担和责任从开发团队转移到网络团队。通过这种方式,网络安全团队可以使用相同的开发人员最佳实践来构建、测试、发布和监控移动的应用程序中的保护模型,作为DevSecOps流程的平等和独立部分。

Chris Roeckl 克里斯·罗克尔
CPO, Appdome(link is external) Appdome首席采购干事


In 2024, DevSecOps will experience a paradigm shift in integrating security into the development process. Security will no longer be seen as a separate function but an intrinsic part of the development lifecycle. Security tools and practices will be seamlessly integrated into CI/CD pipelines, enabling automated security checks throughout the software delivery process. Threat intelligence and vulnerability assessments will be leveraged in real-time, providing immediate insights into potential risks. Security champions within development teams will be pivotal in ensuring secure coding practices. The adoption of zero-trust principles will become more prevalent, emphasizing continuous verification and authorization for all users and devices. Overall, 2024 will be a year of heightened security consciousness, where DevSecOps becomes synonymous with agile, secure, and resilient software development. This evolution will protect organizations from cyber threats and foster a culture of security-first mindset within the development community.
到2024年,DevSecOps将经历将安全性集成到开发过程中的范式转变。安全性将不再被视为一个单独的功能,而是开发生命周期的固有部分。安全工具和实践将无缝集成到CI/CD管道中,从而在整个软件交付过程中实现自动安全检查。将实时利用威胁情报和脆弱性评估,提供对潜在风险的即时洞察。开发团队中的安全冠军将是确保安全编码实践的关键。零信任原则的采用将变得更加普遍,强调对所有用户和设备的持续验证和授权。总体而言,2024年将是安全意识提高的一年,DevSecOps将成为敏捷,安全和弹性软件开发的代名词。 这种演变将保护组织免受网络威胁,并在开发社区中培养安全第一的文化。

Rajesh Sarangapani
SVP and Head of Innovation, Cigniti Technologies(link is external)
高级副总裁兼创新负责人,Reyniti Technologies


In the coming year, we expect to see organizations work to close the disconnect between their DevOps and Security teams. By empowering these teams to work more cohesively, companies will have an easier time ensuring that applications and data are protected from security threats and vulnerabilities. Instead of looking within the “inside” of a cloud infrastructure, DevOps and security teams must work together in securing the border guarding each system. By doing so, organizations can maintain a robust in-house DevSecOps cybersecurity program that helps them react to incidents intelligently within minutes based on the uniqueness of each environment.

Or Shoshani 或者肖沙尼
CEO and Founder, Stream Security(link is external)
Stream Security首席执行官兼创始人

A trend expected to continue in 2024 is more need and willingness for collaboration between security and engineering teams. Time and time again, many security risks and vulnerabilities can be traced back to security teams being unaware of what engineering teams are doing and which applications are being created and deployed. Most organizations still haven’t built a cultural connection between these two important teams. Over the next 12 months, it is pivotal that organizations place more onus on forming collaborative relationships with software engineering and security teams. The two teams must not be viewed as separate but rather one group working cohesively. Better partnerships will ensure security teams are aware what applications and code exists within their environment and will also lead to security practices being better understood by those creating the software. To facilitate this bond, organizations must ensure that any security solutions purchased helps the software engineering and the security teams work in parallel. As engineers are accustomed to working with solutions that have easy to use, efficient and well-appointed user interfaces (UIs), as they become more involved in the security process, they require the same level of efficiency within security tooling.
预计到2024年,安全和工程团队之间的合作将更加需要和愿意。一次又一次,许多安全风险和漏洞可以追溯到安全团队不知道工程团队在做什么,以及正在创建和部署哪些应用程序。大多数组织仍然没有在这两个重要的团队之间建立文化联系。在接下来的12个月里,组织将更多的责任放在与软件工程和安全团队建立协作关系上,这一点至关重要。这两个团队不应被视为是分开的,而应被视为一个团结一致的团队。更好的合作伙伴关系将确保安全团队了解其环境中存在的应用程序和代码,并将使软件创建者更好地理解安全实践。 为了促进这种联系,组织必须确保购买的任何安全解决方案都有助于软件工程和安全团队并行工作。由于工程师习惯于使用具有易于使用、高效且配置完善的用户界面(UI)的解决方案,随着他们越来越多地参与安全流程,他们需要安全工具中的相同效率水平。

Dan Hopkins
VP of Engineering, StackHawk(link is external)


Both development and security will take a page from site reliability engineering (SRE), quantifying error budgets that represent the best compromise among managing risks and the costs of doing so. This trend will bring engineering best practices to the table, helping organizations manage risks rationally across the board.
Jason Bloomberg
President, Intellyx(link is external)


In 2024, the next iteration of DevSecOps has to be aligned with business risk. Only once application or cloud security teams can clearly define what is a risk—based on severity, likelihood, and impact — and understand the nature of every software change, can you determine the right-sized response. For a critical vulnerability that’s actually used in the code, exploitable via an internet exposed API, deployed to an internet-facing cluster in an application that stores PII and generates 80% of the company’s revenue — that should mean blocking a build or pull request. For an exposed test password that’s in testing code and is never deployed, that probably means doing nothing. This will require more mature tooling such as application security posture management (ASPM) solutions that go beyond context-less developer guardrails and one-dimensional policies into a platform that provides deep intelligence into application architecture, code, deployment, developers’ knowledge and behavior and

原文始发于devopsdigest:2024 DevSecOps Predictions – Part 1

版权声明:admin 发表于 2024年2月8日 上午8:46。
转载请注明:2024 DevSecOps Predictions – Part 1 | CTF导航