From the WannaCry ransomware attack that resonated across the globe, to the massive Equifax breach and series of security mistakes that followed, 2017 saw a major uptick in cyberattacks, with no signs of slowing down.
While each incident was unique, they all highlighted the complexity of applying security at scale. Wrangling the vast number of servers, applications and endpoints a large organization has is difficult, and while attackers only have to find one flawed system to create a breach, defenders need to get them all right.
Fortunately, in the last decade we finally learned how to properly deal with large scale systems – by embracing DevOps. Can we apply the culture, process and technology changes DevOps modeled to make security scale?
Here are my top 5 predictions 2018, marking it as a pivotal year for the DevSecOps movement:
1. Digital transformation initiatives will start including security transformation.
Over the last few years, many enterprises have been heavily investing in modernizing their technology platforms, looking to dramatically accelerate the pace of development and level of innovation. These companies understand that if you don’t move fast, you’ll be left behind, and are willing to adapt their processes, software and even culture to keep up with the times.
These projects focus on accelerating development, and often overlook the implications for their security practices. However, using security gates in a continuous development process or expecting dev to handle security without the proper tools will simply not work.
As these initiatives roll out in earnest during 2018, outdated security practices will clash with modern development, causing development slowdowns and security “close calls”. Companies will learn to appreciate this concern, invest in understanding how their security activity must change, and incorporate these changes into their digital transformation initiatives.
2. Dev tools & Cloud platforms will start differentiating on application security.
From the infamous Java Struts vulnerability, to malicious packages in Python and JavaScript, 2017 dramatically raised the level of (justified!) paranoia developers feel regarding their application’s security. Responding to this need, we’ve seen GitHub incorporate basic vulnerability testing, Google & Microsoft flag vulnerable libraries in their dev tools, and Heroku and Atlassian highlight security in their marketplaces.
In 2018, the leading dev tools and cloud platforms will invest much more in helping developers build more secure applications. These companies will start highlighting those capabilities, using security as a differentiator in increasingly commoditized spaces, especially for the coveted enterprise customers.
3. A cloud player will be a security tooling provider.
At least one cloud platform will acquire a significant player in the security space. In part, it will do so because acquiring and integrating security capabilities into the cloud platform is a faster and stronger way to differentiate in its market. In addition, an existing standalone security solution will help penetrate customers using a competing cloud platform, growing the buyer’s reach.
Moreover, while security acquisitions tend to focus exclusively on revenue, this acquisition will better resemble a dev tooling company acquisition. This means developer mindshare, reach and broad usage will carry substantial weight in the chosen target – and the price it will command.
4. Open source security will become a CSO level issue.
The monumental Equifax breach serves as a painful example of many security mistakes, but none are as grave as open source security. The breach – and the following commentary – clearly demonstrated companies must effectively track and handle vulnerabilities in the open source components they consume.
In 2018, many security officers will have a clear goal of “not being the next Equifax”, including a clear focus on tackling open source security. Given the nature of this problem, securing open source will require changes in people, process and technology, and help move forward a DevSecOps approach.
5. Security companies will finally start investing in developers.
The growing attention to security by developer focused companies has a significant impact on the security provider market. Cloud and application security companies have consistently failed to get true developer adoption, but succeeded in selling to security teams later in the process. If developers start using tools that address their security needs earlier in the dev process, a downstream security company may never get a chance to engage!
As a result, I expect security companies to invest heavily in the developer experience in 2018. You’ll see more security companies at developer events, more online tools offering self-serve, though narrow, point solutions, and more UI changes favoring the developer’s role. As with any change, most of those attempts will fail, but the average security tool developer experience will improve.
Those are just the highlights of what I’m sure will be an exciting year, carrying its fair share of breaches – but also the first true signs of making security scale.