Industry executives and experts share their predictions for 2019.  Read them in this 11th annual VMblog.com series exclusive.

Contributed by Matthew Rose, Global Director Application Security Strategy and Erez Yalon, Head of Security Research, Checkmarx

DevSecOps Takes Center Stage

2018 was a banner year for software technologists, with advancements in artificial intelligence and machine learning, and the Internet of Things advancing at a rapid pace. Security breaches continued to make regular headlines, with serious attacks most often targeting the application layer. During 2018, we also witnessed DevOps move from a buzzword to serious business. Development teams of all sizes are using DevOps as a way to keep up with the increasing importance of software to modern business.

Looking ahead, 2019 will be a big year for DevSecOps, or the integration of security practices within the DevOps process. While the theory has been around for some time, many organizations have struggled to truly bake security into their DevOps initiatives. The tendency to view security as being at odds with the goals of DevOps will give way to an embracing of DevSecOps, as the maturity of the space continues to grow and move from the realm of the theoretical into the realm of the practical. Automation technologies should contribute to this trend, as security testing will become quicker and more manageable for teams, further reducing the perception of security as a hindrance to speed.

In addition to DevSecOps taking center stage, we've pulled together other predictions to watch for in 2019 and beyond:

IAST: One of the primary trends we'll see emerging in 2019 is the widespread adoption of Interactive Application Security Testing (IAST). As more and more processes are being moved towards automation, IAST - with its ability to automatically test by leveraging your existing functional testing program, provides an additional set of data points associated with the risk in your web application - will increasingly be seen as a boon to security teams. As the speed and effectiveness of IAST cannot be overlooked, we can expect its usage to become very popular as we move through 2019.

Artificial Intelligence and Machine Learning: Artificial Intelligence (AI) and Machine Learning (ML) have changed from just buzzwords to actual tools to work with. From an InfoSec point of view, we see AI/ML already being used in defense tools to detect anomalies and potential threats, and there are a lot of discussions of malicious actors trying to disrupt these algorithms. The use of AI/ML in hacking tools is currently budding, and we can predict that AI/ML-based or -assisted attacks will become more and more frequent.

Cloud: Cloud services have come a long way, from Infrastructure as a Service (IaaS), via Platform and Software as a Service (PaaS/SaaS), all the way to Serverless computing. Now we see the rise of Function as a Service (FaaS) that abstracts many layers of production. While these services are not without their downsides, they are convenient, cost-effective and allow vendors to concentrate on the important things. With these services offered now by giants like Amazon, Google and Microsoft, we can expect this trend to continue.

Internet of Things: IoT, in its current state, is not secure. There are secure devices out there, but they are the exception rather than the rule. Perhaps more concerning is that there are no revolutions in IoT security on the horizon. IoT will continue to be vulnerable in 2019.

Microservices: Microservices Architecture is common practice these days. When everyone is trying to be agile, delivering quickly and intelligently, microservices are the way to go. Maintaining a multi-services environment requires inter-services communication, or Application Programming Interface. These APIs are now part of the growing attack surface available to malicious actors, so we are going to see more attempts to abuse API vulnerabilities, while the security industry will work on defining the security measures needed for APIs.

Open Source: Open source code, and more specifically open source code that is used as part of applications (aka third-party), makes us redefine the concept of "Trust." Vendors realize that it is hard to trust third-party open source modules as it means they need to trust that not only is a specific open source solution free of malicious vulnerabilities, maintained as required, and built securely, but also all its own third-party open source modules too. Given this understanding,
 we can expect that more vendors will choose to keep an eye on the open source code they deploy. Those who neglect this responsibility, will encounter difficulties.

Security: One of the biggest security threats we face today, as users of technology, is the loss of privacy. Sometimes we lose our privacy because we choose to do so (usually as a tradeoff for convenience or just not reading a user agreement), but many times it is the result of malicious intent, negligence, or lack of security awareness on the part of vendors who create the applications or devices we use. Although this subject makes headlines all the time and is highlighted in legislation such as GDPR, bad actors still stand to gain a lot of profit through cybercrimes, and so we will continue to see more breaches and leaks of private information in the years to come.

##

About the Authors

Matt Rose, Global Director Application Security Strategy, Checkmarx

Matt has over 18 years of software development, sales engineering management and consulting experience. During this time, Matt has helped some of the largest organizations in the world in a variety of industries, regions, and technical environments implement secure software development life cycles utilizing static analysis. Matt's extensive background in application security, object-oriented programming, multi-tier architecture design/implementation, and internet/intranet development has been key to many speaking engagements for organizations like OWASP, ISSA, and ISACA.

Erez Yalon, Head of Security Research, Checkmarx