Virtualization Technology News and Information
ShiftLeft 2018 Predictions: Accelerating Security with DevSecOps, Serverless and Continuous Improvement

VMblog Predictions 2018

Industry executives and experts share their predictions for 2018.  Read them in this 10th annual series exclusive.

Contributed by Manish Gupta, CEO and Founder, ShiftLeft

Accelerating Security with DevSecOps, Serverless, and Continuous Improvement

It's hard to find an organization these days not using cloud technologies in some way. One report (Morgan Stanley CIO 2016 Survey) has 91 percent of companies using public cloud by 2019, up from 53 percent in 2016.

There are three main areas that will become more prominent in 2018 as organizations across various sectors attempt to differentiate through innovation in cloud environments:

1. Continuous Improvement comes to security as applications become epicenter of attacks:
According to Verizon's 2017 Data Breach Investigations Report, web application attacks are the leading cause of breaches, more than tripling from 9%to 30% since 2014. This is predominantly because no two applications are alike, the applications work in different ways, and they use OSS differently - all leading to a different threat profile. But we have been protecting every application with off-the-shelf security solutions that either only analyze the code and create many false positives or provide runtime protection that adds significant overhead to the application. The overhead of generic security solutions which have signatures for threats and vulnerabilities for hundreds of applications, operating systems and network elements defeats the promise of cloud environments. For SaaS applications, IaaS/PaaS vendors now provide state-of-the-art robust infrastructure-level security. In such scenarios, the exposed attack surfaces are the applications and vulnerabilities in them, either inadvertently or borrowed through OSS use while rapidly developing them. At ShiftLeft, security does not mean loss of agility or speed - in fact with the Cloud, it means just the opposite. Continuous improvement of application code by infusing it with security early in the development lifecycle will be key in 2018.
2. Serverless becomes the common way to deploy cloud-native applications:
Driven by the digital economy's demand for instant results without the hassle, serverless computing is becoming the common way to deploy new applications. The serverless concept is a prepacked flavor of modern cloud-native architecture which decomposes applications to multiple stateless and elastic micro-services. These are further architected around small serverless functions coupled together in distributed environments. Micro-services shrink or grow to satisfy demand; they are restarted in case of a resource failure and can be changed to a newer version without breaking or taking down the entire application. In 451 Research's Voice of the Enterprise (VotE): Cloud Transformation, Workloads and Key Projects 2016 survey of 486 IT decision-makers, 37 percent were using serverless technology to some degree. Serverless is likely to continue growing in adoption, and in impact to the industry, over the next few years. Anytime you're discussing deploying an application in the cloud, security is at the top on the list of concerns. Serverless applications are no different in this aspect but they are radically different in how you have to implement security, especially considering that deployment of individual compute functions is highly distributed. Security for serverless applications boils down to four key concerns:

1.    Flow of data

2.    Code quality

3.    Monitoring production

4.    Choice of APIs and services

Each of these areas is critical to the overall security of your serverless application. It is the onus of the application owner to address  this new paradigm of building cloud-native applications.

3. DevSecOps becomes viable with the advent of security automation for cloud workloads:
As movements like CI, CD and DevOps aim to cut down on release cycles, it's security's job to help control the risk. The risk landscape is complex as modern development practices increasingly consume more and more third party code and OSS. Increasing development speed also means that traditional manual security testing and SAST approaches would need to keep up with this rapid pace. Zero-day vulnerabilities would rise and CVE matching techniques would need to take a backseat. The holy grail of zero-day mitigation means that security needs to be continuous and rapid - and hence automated and autonomous. It is the DevSecOps model that should provide the increasing automation in security in the immediate future. DevSecOps combines the speed of delivery with the security needed to protect the applications. If AWS hadn't automated getting a server, DevOps wouldn't have emerge.  In addition, the lack of tools is preventing DevSecOps from going beyond "an idea". 2018 will be the year of DevSecOps as security teams increasingly rely on automated insertion of security in the development lifecycle with next-generation security tools. The philosophy involves building security into CI/CD so that it's baked in, and is built on the idea that "everyone is responsible for security".


About the Author

Manish Gupta 

Manish Gupta, CEO and Founder, ShiftLeft

He was previously the Chief Product and Strategy Officer at FireEye, helping grow the company from approximately $70 million to more than $700 million in revenue, growing the product portfolio from 2 to more than 20 products. Prior, he was VP of Product Management for Cisco's $2 billion security portfolio. He also served as a VP/GM at McAfee and iPolicy networks.

Manish has an MBA from the Kellogg Graduate School of Management, MS in Engineering from the University of Maryland and a BS in Engineering from the Delhi College of Engineering.

Published Friday, November 17, 2017 7:26 AM by David Marshall
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
<November 2017>