Virtualization Technology News and Information
Article
RSS
Azul 2023 Predictions: Five security predictions for 2023 and beyond

vmblog-predictions-2023 

Industry executives and experts share their predictions for 2023.  Read them in this 15th annual VMblog.com series exclusive.

Five security predictions for 2023 and beyond

By Erik Costlow, Senior Director of Product Management, Azul

Security predictions are a tricky business - something almost always happens that is both unexpected and a big deal. Still, preparation can go a long way to protect against looming threats. Here are some trends to keep an eye on in 2023.

1. Security must catch up to DevOps

For years, security has typically lagged behind DevOps, either because DevOps teams went full speed ahead and paid only partial attention to security or they paid some attention but were not always certain that the security model was correct.

The disconnect has led to a sort of "bolt-on do-it-later" security or security tooling that came late and didn't quite fit. As sub-industries reached a stable point, security eventually caught up. Network security is pretty good, and operating system security is doing well, but a lot of the risk now is in applications: the custom piece that DevOps does at a much faster rate.

We're at a point where the broader groups of application buyers and users expect applications to be secure, so security is finally being pulled forward. At some point, the role of security will evolve beyond the silo of experts or the "center of excellence" approach. Security capabilities and knowledge will merge with many DevOps tools and processes, ideally to automate the risk away.

2. Investors will look for speed

The security approaches that will draw attention from investors are those that come closer to matching DevOps speed in newer areas. This is often where the seed investments are because the firm hopes to get a first-mover advantage and have its solution baked into the way the DevOps approach is designed, capturing more of the addressable market. This includes techniques like infrastructure as code security companies.

3. Protecting the software supply chain

According to Gartner, attacks on the software supply chain are expected to triple over the next few years. Security teams must increase their awareness of one of the most substantial attack vectors: vulnerabilities in Java libraries and components.

One of the most significant gaps in the software supply chain lies in production code, where open-source or third-party software could open the door to potential attacks. Failure to detect and patch known vulnerabilities in their Java application estates can expose organizations to significant impact and cost, including financial penalties running into the hundreds of millions of dollars, compromising of customer data, lower market capitalization, and turnover in executive staff.

It doesn't make sense to have developers look at thousands of lines of code to find potential vulnerabilities - that's a waste of time and resources. Instead, DevOps teams need tools that will detect these vulnerabilities before they exploit their stacks.

4. Java's role in security

Java continues to be one of the most-used languages, moving around with JavaScript and C/C++. With recent advances in Spring and Quarkus, Java can be used on more cloud-native applications than before because the possible is now the doable. At the same time, Java's ecosystem is hardened to support many types of security analysis of Java applications and block dependency confusion attacks that have occurred elsewhere.

The future of Java is secure and reliable development. That will prove critical now that developers have their hands on the wheel of critical business areas, such as security and infrastructure costs. Executives will have little patience for developers who abdicate the responsibility of how their technology decisions impact the broader company.

5. Lightning round: what to watch for

These are the trends poised to capture a lot of attention next year in the security space:

  • Inventories and SBOMs. With CISA taking a guiding role of the US Federal Government and its influence on vendors, it's impossible for software providers not to notice and understand what the word "requires" means. Integrating a software bill of materials (SBOM) into your application security toolset will keep DevOps and security teams connected and will save you time when it's time to intermediate.
  • Observability. In DevOps and Platform Engineering teams, observability is built in for problem resolution to identify how information flows through a system and track what went wrong. When security ties into observability, you have better insight into what constitutes normal and safe behavior so that you can pick out what's abnormal and dangerous. This will be at a more granular level than today.
  • Team structure. Instead of acting as consultative teams of experts, I'd like to see a trend where security teams follow the Team Topologies approach to become enabling teams or even rotate members onto stream-aligned teams to embed security into the normal workflow.

Awareness and knowledge are the underpinnings of any security program, and I hope these trends will help security pros stay ready for what's ahead.

##

ABOUT THE AUTHOR

Erik-Costlow 

Erik Costlow is a software security expert with extensive Java experience. He handles the security of Azul’s JVMs that operate at peak speed while making security easier and better for all. Erik was the principal product manager in Oracle focused on security of Java 8, joining at the height of hacks and departing after a two-year absence of zero-day vulnerabilities. During that time, he learned the details of Java at both a corporate/commercial and community level. He also assisted Turbonomic’s product management team in the data center/cloud performance automation. Erik also led product management for Fortify static code analyzer, a tool that helps developers find and fix vulnerabilities in custom source code. Erik has also published several developer courses through Packt Publishing on data analysis, statistics, and cryptography.

Published Thursday, December 22, 2022 7:38 AM by David Marshall
Comments
There are no comments for this post.
To post a comment, you must be a registered user. Registration is free and easy! Sign up now!
Calendar
<December 2022>
SuMoTuWeThFrSa
27282930123
45678910
11121314151617
18192021222324
25262728293031
1234567