DevSecOps may be a relatively recent combination discipline, referring to the inclusion of security planning earlier in the software development life cycle to bolster cyber defenses, but it's set to become a crucial area of importance for businesses.
Key Trends in 2023
Here are the key sector trends we foresee emerging in 2023.
Automation underpinning innovation. Automation is the primary mechanism that drives operational efficiency and is set to further advance this year in the security space. Artificial intelligence (AI) is being coupled with automation, empowering companies to streamline and scale decision-making across organizations to offset much of the manual labor currently used to complete everyday processes. This will allow security teams to concentrate their efforts on more strategic initiatives with greater precision and agility and leave more operational functions to automation.
The strategy behind building DevSecOps into a company's practices will also mature, allowing for innovation to develop without unforeseen impediments. The concept of being secure-by-design may be hackneyed, but its principles are relevant — creating cybersecurity standards, detecting vulnerabilities, and remediating problems at the outset to prevent risks. This will be the transformative approach in 2023.
Tool consolidation. Before incorporating security into processes, companies will need to determine which tools are most appropriate for tackling their most pressing challenges. Tool sprawl, where organizations build up their tool stack until the costs are more than the returns, is an approach that companies will avoid to curb inefficiencies.
Instead, we're likely to see more pervasive security tool consolidation. According to Gartner, 75% of organizations are already beginning this process. Subsuming tool-chain observability and monitoring into one platform enables companies to have a tower view of which tools are causing blockages. Moving from a fragmented tool architecture to a streamlined one will provide a more conducive environment from which to build and strengthen other processes.
Infrastructure as code (IaC). Traditional IT infrastructure management processes are manual, which invariably affects costs and resources — skilled labor is needed to perform the tasks involved. With cloud computing, the number of components across the IT landscape is always growing and more applications are released every day. IaC can be an invaluable tool here — using configuration files, IaC manages and oversees the scale of today's ever-evolving infrastructure.
With an exponentially growing number of services and configuration options, IaC allows a level of abstraction that liberates engineers from keeping up with those changes. IaC maximizes the potential of cloud computing and frees up time for developers.
Remediation. Rising cybercrime has catapulted digital security to the forefront of a business's overarching strategy. Companies are increasingly focusing on remediation rather than mere detection to avoid sitting on a growing pile of risks. For example, it works by continually monitoring their networks for any irregular activity and subsequently eradicating the threat vectors by installing a security patch to the firmware.
According to Gartner, organizations should be prepared to perform emergency remediation on key systems almost immediately following a patch release to address vulnerabilities. To perform an emergency response, companies must deploy an intelligent, automated remediation approach that is fully integrated into their processes, independent enough to immediately address routine issues, and tailored to their architectures. Prescriptive "best practices" won't cut it in 2023 — remediation must be automated to be effective.
Catalyzed by the White House memorandum to enhance the security of the software supply chain, the software bill of materials (SBOMs), an inventory of the codebase, has been venerated as a game-changer in software transparency. With some refinement and cohesion among security and software professionals, it has the potential to be a respectable benchmark for industry standards, and this year SBOMs could reach a stage of maturity that ensures its delivery matches the hype.
SBOMs are intended to pull the curtain back on the software components used by an application, allowing for more informed risk management decisions. When software producers can deliver an SBOM to their customers, they're signaling they employ advanced software practices. Despite the admirable goals of SBOMs, there are obstacles that inhibit the adoption of the use cases they intend to solve. For instance, there are many tools designed to automate SBOM generation, but they are inconsistent in how they provide data.
SBOMs also have limited value in making procurement decisions. Vendors will have to update SBOMs frequently; meaning users' SBOMs will likely be out of date by the time procurement decisions are made. Additional tools, such as software composition analysis and code signing, will become necessary elements of a complete, well-managed, and secure software supply chain. Ultimately, it will take a concerted industry effort, including defining best practices and standards as well as incentivizing vendors to be more transparent.
Security Remains Vital
It is inevitable this year that we will see companies tighten budgets and reorganize to stay afloat. Parallel to this, though, DevSecOps is positioned for upward growth. Cybersecurity risks remain a top concern, and DevSecOps strategies preserve time and money by preventing them. Nevertheless, we'll see those budget optimizations diverted toward solutions that provide more actionable results — more remediation that frees up expensive engineers, processes which integrate security into the software development cycle from the design phases, and automation that helps streamline rather than stretch the toolkit of an organization.