DEVOPSdigest asked industry experts how they think DevSecOps will evolve and impact development and application security in 2024.
DEVOPSdigest询问了行业专家,他们认为DevSecOps将如何在2024年发展并影响开发和应用程序安全。
REVERSAL OF SHIFT LEFT MODEL
反左模型
Taking a step back from Shift Left Awakening: We will see a reversal in the “Shift Left” model, emphasizing the importance of strong security teams creating policies. Integration into CI (DevOps) pipelines will be streamlined, striking a balance between efficiency and security. The focus will be on empowering developers with effective security tools rather than overwhelming them with too many, ensuring a more efficient and secure development process.
从“左移觉醒”后退一步:我们将看到“左移”模式的逆转,强调强大的安全团队创建策略的重要性。集成到CI(DevOps)管道将得到简化,在效率和安全性之间取得平衡。重点将是为开发人员提供有效的安全工具,而不是用太多的安全工具压倒他们,确保更有效和安全的开发过程。
Shahar Man 沙哈尔人
Co-Founder & CEO, Backslash Security(link is external)
Backslash Security联合创始人兼首席执行官
EMA’S 2024 CYBERSECURITY PREDICTIONS
EMA对2024年网络安全的预测
Chris Steffen, VP of Research covering Information Security, Risk, and Compliance Management at Enterprise Management Associates (EMA), and Ken Buckler, Research Analyst covering Information Security at EMA, make 2024 cybersecurity predictions on the Cybersecurity Awesomeness Podcast.
Enterprise Management Associates(EMA)负责信息安全、风险和合规管理的研究副总裁Chris Steffen和EMA负责信息安全的研究分析师Ken Buckler在Cybersecurity Awesomeness Podcast上对2024年的网络安全进行了预测。
Click here for a direct MP3 download of Episode 41
点击这里直接MP3下载第41集(link is external)
DEVSECOPS – STANDARD OPERATING PROCEDURE
DEVSECOPS -标准操作程序
In 2024, containers and microservices will not just support but will define DevOps practices, solidifying their position at the core of DevSecOps. This evolution will ensure that security is an integral part of the development pipeline, with containers providing a standardized, secure environment and microservices enabling targeted, swift security updates. This framework empowers organizations to build, deploy, and manage applications with agility, without compromising on security. As a result, the essence of DevSecOps — continuous security at speed — becomes the standard operating procedure for development teams.
到2024年,容器和微服务不仅将支持DevOps实践,还将定义DevOps实践,巩固它们在DevSecOps核心的地位。这种演变将确保安全性是开发管道的一个组成部分,容器提供标准化的安全环境,微服务实现有针对性的快速安全更新。该框架使组织能够敏捷地构建、部署和管理应用程序,而不会影响安全性。因此,DevSecOps的本质-持续快速的安全性-成为开发团队的标准操作程序。
Keith Cunningham 基思·坎宁安
VP of Strategy, Sylabs(link is external) 战略副总裁,Sylabs
As DevOps tools rise in popularity, they will be a prime target for hackers. This will drive the shift towards DevSecOps to ensure that security is not a final checkpoint but a continual process, embedded from initial design to deployment and maintenance.
随着DevOps工具越来越受欢迎,它们将成为黑客的主要目标。这将推动向DevSecOps的转变,以确保安全性不是最终的检查点,而是一个持续的过程,从初始设计到部署和维护都是如此。
Guillaume Moigneu 纪尧姆·穆瓦涅
VP Product, Growth and Monetization, Platform.sh(link is external)
产品、增长和货币化副总裁,Platform.sh
I predict that 2024 will be the year in which even conservative industries, such as Automotive and MedTech, will embrace DevSecOps with bug and vulnerability detection during development. As these industries are moving to software-defined everything (SDx), even vehicles, that are constantly connected via APIs and push over-the-air software updates, the logical response is to adopt the same DevSecOps mode as cloud-native computing.
我预测,2024年将是即使是保守的行业,如汽车和医疗技术,也将在开发过程中采用DevSecOps进行错误和漏洞检测的一年。由于这些行业正在转向软件定义的一切(SDx),甚至是通过API不断连接并通过空中推送软件更新的车辆,因此逻辑响应是采用与云原生计算相同的DevSecOps模式。
Sergej Dechand 谢尔盖·德钱德
CEO and Co-Founder, Code Intelligence(link is external)
Code Intelligence首席执行官兼联合创始人
DEVSECOPS 2.0
In a DevSecOps 2.0 world, Cyber teams will (be forced to) adopt developer best practices and be responsible to build, test, release and monitor mobile app security. Using a DevSecOps 2.0 approach, app makers can use mobile application defense automation in the CI/CD pipeline to shift the burden and responsibility for delivering the needed protections from the development team to the cyber team. This way the cybersecurity team can use the same developer best practices to build, test, release and monitor the protection model in the mobile apps on its own, as an equal and independent part of the DevSecOps process.
在DevSecOps 2.0世界中,网络团队将(被迫)采用开发人员最佳实践,并负责构建、测试、发布和监控移动的应用程序安全。使用DevSecOps 2.0方法,应用程序制造商可以在CI/CD管道中使用移动的应用程序防御自动化,将提供所需保护的负担和责任从开发团队转移到网络团队。通过这种方式,网络安全团队可以使用相同的开发人员最佳实践来构建、测试、发布和监控移动的应用程序中的保护模型,作为DevSecOps流程的平等和独立部分。
Chris Roeckl 克里斯·罗克尔
CPO, Appdome(link is external) Appdome首席采购干事
SECURITY BECOMES PART OF SLDC
安全成为SLDC的一部分
In 2024, DevSecOps will experience a paradigm shift in integrating security into the development process. Security will no longer be seen as a separate function but an intrinsic part of the development lifecycle. Security tools and practices will be seamlessly integrated into CI/CD pipelines, enabling automated security checks throughout the software delivery process. Threat intelligence and vulnerability assessments will be leveraged in real-time, providing immediate insights into potential risks. Security champions within development teams will be pivotal in ensuring secure coding practices. The adoption of zero-trust principles will become more prevalent, emphasizing continuous verification and authorization for all users and devices. Overall, 2024 will be a year of heightened security consciousness, where DevSecOps becomes synonymous with agile, secure, and resilient software development. This evolution will protect organizations from cyber threats and foster a culture of security-first mindset within the development community.
到2024年,DevSecOps将经历将安全性集成到开发过程中的范式转变。安全性将不再被视为一个单独的功能,而是开发生命周期的固有部分。安全工具和实践将无缝集成到CI/CD管道中,从而在整个软件交付过程中实现自动安全检查。将实时利用威胁情报和脆弱性评估,提供对潜在风险的即时洞察。开发团队中的安全冠军将是确保安全编码实践的关键。零信任原则的采用将变得更加普遍,强调对所有用户和设备的持续验证和授权。总体而言,2024年将是安全意识提高的一年,DevSecOps将成为敏捷,安全和弹性软件开发的代名词。 这种演变将保护组织免受网络威胁,并在开发社区中培养安全第一的文化。
Rajesh Sarangapani
SVP and Head of Innovation, Cigniti Technologies(link is external)
高级副总裁兼创新负责人,Reyniti Technologies
DEVOPS AND SECURITY TEAM COLLABORATION
开发人员和安全团队协作
In the coming year, we expect to see organizations work to close the disconnect between their DevOps and Security teams. By empowering these teams to work more cohesively, companies will have an easier time ensuring that applications and data are protected from security threats and vulnerabilities. Instead of looking within the “inside” of a cloud infrastructure, DevOps and security teams must work together in securing the border guarding each system. By doing so, organizations can maintain a robust in-house DevSecOps cybersecurity program that helps them react to incidents intelligently within minutes based on the uniqueness of each environment.
在接下来的一年里,我们希望看到组织努力关闭他们的DevOps和安全团队之间的脱节。通过授权这些团队更紧密地工作,公司将更容易确保应用程序和数据免受安全威胁和漏洞的影响。DevOps和安全团队必须共同努力,保护每个系统的边界,而不是在云基础设施的“内部”寻找。通过这样做,组织可以维护一个强大的内部DevSecOps网络安全计划,帮助他们根据每个环境的独特性在几分钟内智能地对事件做出反应。
Or Shoshani 或者肖沙尼
CEO and Founder, Stream Security(link is external)
Stream Security首席执行官兼创始人
A trend expected to continue in 2024 is more need and willingness for collaboration between security and engineering teams. Time and time again, many security risks and vulnerabilities can be traced back to security teams being unaware of what engineering teams are doing and which applications are being created and deployed. Most organizations still haven’t built a cultural connection between these two important teams. Over the next 12 months, it is pivotal that organizations place more onus on forming collaborative relationships with software engineering and security teams. The two teams must not be viewed as separate but rather one group working cohesively. Better partnerships will ensure security teams are aware what applications and code exists within their environment and will also lead to security practices being better understood by those creating the software. To facilitate this bond, organizations must ensure that any security solutions purchased helps the software engineering and the security teams work in parallel. As engineers are accustomed to working with solutions that have easy to use, efficient and well-appointed user interfaces (UIs), as they become more involved in the security process, they require the same level of efficiency within security tooling.
预计到2024年,安全和工程团队之间的合作将更加需要和愿意。一次又一次,许多安全风险和漏洞可以追溯到安全团队不知道工程团队在做什么,以及正在创建和部署哪些应用程序。大多数组织仍然没有在这两个重要的团队之间建立文化联系。在接下来的12个月里,组织将更多的责任放在与软件工程和安全团队建立协作关系上,这一点至关重要。这两个团队不应被视为是分开的,而应被视为一个团结一致的团队。更好的合作伙伴关系将确保安全团队了解其环境中存在的应用程序和代码,并将使软件创建者更好地理解安全实践。 为了促进这种联系,组织必须确保购买的任何安全解决方案都有助于软件工程和安全团队并行工作。由于工程师习惯于使用具有易于使用、高效且配置完善的用户界面(UI)的解决方案,随着他们越来越多地参与安全流程,他们需要安全工具中的相同效率水平。
Dan Hopkins
VP of Engineering, StackHawk(link is external)
COMPROMISE – MANAGING RISK AND COST
Both development and security will take a page from site reliability engineering (SRE), quantifying error budgets that represent the best compromise among managing risks and the costs of doing so. This trend will bring engineering best practices to the table, helping organizations manage risks rationally across the board.
Jason Bloomberg
President, Intellyx(link is external)
DEVSECOPS ALIGNS WITH BUSINESS RISK
In 2024, the next iteration of DevSecOps has to be aligned with business risk. Only once application or cloud security teams can clearly define what is a risk—based on severity, likelihood, and impact — and understand the nature of every software change, can you determine the right-sized response. For a critical vulnerability that’s actually used in the code, exploitable via an internet exposed API, deployed to an internet-facing cluster in an application that stores PII and generates 80% of the company’s revenue — that should mean blocking a build or pull request. For an exposed test password that’s in testing code and is never deployed, that probably means doing nothing. This will require more mature tooling such as application security posture management (ASPM) solutions that go beyond context-less developer guardrails and one-dimensional policies into a platform that provides deep intelligence into application architecture, code, deployment, developers’ knowledge and behavior and
在2024年,DevSecOps的下一次迭代必须与业务风险保持一致。只有当应用程序或云安全团队能够根据严重性、可能性和影响明确定义什么是风险,并了解每个软件更改的性质时,您才能确定适当的响应规模。对于代码中实际使用的关键漏洞,可通过互联网暴露的API利用,部署到存储PII并产生公司80%收入的应用程序中的面向互联网的集群-这应该意味着阻止构建或拉取请求。对于在测试代码中并且从未部署的公开测试密码,这可能意味着什么都不做。这将需要更成熟的工具,如应用程序安全态势管理(ASPM)解决方案,这些解决方案超越了无上下文的开发人员护栏和一维策略,成为一个平台,为应用程序架构、代码、部署、开发人员的知识和行为提供深度智能,
原文始发于devopsdigest:2024 DevSecOps Predictions – Part 1