2021 DevSecOps Trends to Expect

By Jeff Whalen, VP of Product, ForAllSecure

The acceleration of application development has shown no sign of stopping. The result is increasingly complex, interconnected software. These forces are driving organizations to go beyond merely identifying common security errors or protecting against common attack techniques. Increasingly complex applications are calling for the need to anticipate, detect, and respond to new threats. 

Next year we will see development teams embrace new tools that will produce software at scale, while maintaining the integrity and security of their code. 

API attacks bring attention to API risks

There are more than 23,000 public web APIs, and the API market is estimated to be worth $5.1 billion by 2023. APIs bring considerable benefits - including internal interoperability, reduced development time, and extended functionality. As a result, organizations have grown increasingly reliant on this technology, which remains largely untested. 

Third-party software can expose companies to vulnerabilities and weaknesses within software they do not own. Next year organizations will look for tools that will help them better understand how the third-party software behaves with their own APIs. 

The rise of fuzzing to address CI/CD needs: Development speeds and deployment frequencies have only continued to intensify and that will not change in the coming years. In response, developers are turning to Continuous Integration (CI) like automation tools that support building and testing within the SDLC and Continuous Delivery (CD) to orchestrate software production. The CI/CD pipeline constitutes a crucial bridge between the development organization and those consumers who use its products. But digital attackers know that by gaining access to the CI/CD pipeline, they can corrupt the software delivery process.  

Next year we'll see an increasing need for highly accurate and automated security testing techniques. Development teams will look for testing solutions that offer multiple layers of testing -- whether it's unit testing, regression testing, or negative testing -- earlier in the development cycle. 

Rust goes mainstream: This year Rust broke into the TIOBE index top 20 for the first time, but 2021 is the year that Rust will go mainstream. The language will continue to mature and will become a preferred language for new projects at startups and enterprises alike. 

Developers have found that it offers performance without compromising safety. Microsoft, Amazon, Apple, Cloudflare, and many others are transitioning projects to Rust, or selecting it as the language of choice for new projects. While there is always a new hip language (or flavor of the week), Rust's offering is unique and will only grow in popularity. 

Unit testing becomes automated: While unit testing is considered an essential part of detecting and protecting against software bugs, some organizations find the process burdensome. It can also lead to friction associated with regulatory or other compliance, integration challenges with legacy technology, or be viewed as a cost center by more traditional leadership. 

Amid demands to push more testing left, the time is ripe for automation technology to evolve unit testing approaches. Property-based fuzzing -- technologies like fuzzing, combined with property-based testing techniques -- are significantly more effective and efficient than traditional unit testing methods. As organizations see gains from property-based fuzzing, we will see deeper integrations between fuzzing techniques and source code management systems in 2021. 

##

About the Author

Jeff brings more than a dozen years of product experience to ForAllSecure, where he serves as the Vice President of Product Management. An experienced, highly analytical product executive, Jeff's focus is driving ForAllSecure's product strategy and execution. Prior to ForAllSecure, Jeff served as a director of product management at Contrast Security, where he headed up program management as the company grew and secured series B and series C funding rounds. Jeff has a breadth of experience with cybersecurity solutions, previously working at Zscaler Corporation, HP ArcSight, Good Technology and Blue Coat Systems, now part of Broadcom. Prior to his career in cybersecurity, Jeff spent 8 years working in semiconductor engineering at NVIDIA and Transmeta. Jeff holds a BS in Electrical and Computer Engineering from Carnegie Mellon University.