Industry executives and experts share their predictions for 2023. Read them in this 15th annual VMblog.com series exclusive.
Five security predictions for 2023 and beyond
By Erik Costlow, Senior
Director of Product Management, Azul
Security
predictions are a tricky business - something almost always happens that is
both unexpected and a big deal. Still, preparation can go a long way to protect
against looming threats. Here are some trends to keep an eye on in 2023.
1. Security
must catch up to DevOps
For years,
security has typically lagged behind DevOps, either because DevOps teams went
full speed ahead and paid only partial attention to security or they paid some
attention but were not always certain that the security model was correct.
The disconnect
has led to a sort of "bolt-on do-it-later" security or security
tooling that came late and didn't quite fit. As sub-industries reached a stable
point, security eventually caught up. Network security is pretty good, and
operating system security is doing well, but a lot of the risk now is in
applications: the custom piece that DevOps does at a much faster rate.
We're at a
point where the broader groups of application buyers and users expect
applications to be secure, so security is finally being pulled forward. At some
point, the role of security will evolve beyond the silo of experts or the
"center of excellence" approach. Security capabilities and knowledge
will merge with many DevOps tools and processes, ideally to automate the risk
away.
2.
Investors will look for speed
The security
approaches that will draw attention from investors are those that come closer
to matching DevOps speed in newer areas. This is often where the seed
investments are because the firm hopes to get a first-mover advantage and have
its solution baked into the way the DevOps approach is designed, capturing more
of the addressable market. This includes techniques like infrastructure as code
security companies.
3.
Protecting the software supply chain
According to
Gartner, attacks on the software supply chain are expected to triple over the
next few years. Security teams must increase their awareness of one of the most
substantial attack vectors: vulnerabilities in Java libraries and components.
One of the
most significant gaps in the software supply chain lies in production code,
where open-source or third-party software could open the door to potential
attacks. Failure to detect and patch known vulnerabilities in their Java
application estates can expose organizations to significant impact and cost,
including financial penalties running into the hundreds of millions of dollars,
compromising of customer data, lower market capitalization, and turnover in
executive staff.
It doesn't
make sense to have developers look at thousands of lines of code to find
potential vulnerabilities - that's a waste of time and resources. Instead,
DevOps teams need tools that will detect these vulnerabilities before they
exploit their stacks.
4. Java's
role in security
Java continues
to be one of the most-used languages, moving around with JavaScript and C/C++.
With recent advances in Spring and Quarkus, Java can be used on more
cloud-native applications than before because the possible is now the doable.
At the same time, Java's ecosystem is hardened to support many types of
security analysis of Java applications and block dependency confusion attacks
that have occurred elsewhere.
The future of
Java is secure and reliable development. That will prove critical now that
developers have their hands on the wheel of critical business areas, such as
security and infrastructure costs. Executives will have little patience for
developers who abdicate the responsibility of how their technology decisions
impact the broader company.
5.
Lightning round: what to watch for
These are the
trends poised to capture a lot of attention next year in the security space:
- Inventories
and SBOMs. With CISA taking a
guiding role of the US Federal Government and its influence on vendors,
it's impossible for software providers not to notice and understand what
the word "requires" means. Integrating a software bill of materials (SBOM)
into your application security toolset will keep DevOps and security teams
connected and will save you time when it's time to intermediate.
- Observability. In DevOps and Platform Engineering teams,
observability is built in for problem resolution to identify how
information flows through a system and track what went wrong. When
security ties into observability, you have better insight into what
constitutes normal and safe behavior so that you can pick out what's
abnormal and dangerous. This will be at a more granular level than today.
- Team
structure. Instead of acting as
consultative teams of experts, I'd like to see a trend where security
teams follow the Team Topologies approach to become enabling teams or even
rotate members onto stream-aligned teams to embed security into the normal
workflow.
Awareness and
knowledge are the underpinnings of any security program, and I hope these
trends will help security pros stay ready for what's ahead.
##
ABOUT THE AUTHOR
Erik Costlow is a software security expert with extensive Java experience. He handles the security of Azul’s JVMs that operate at peak speed while making security easier and better for all. Erik was the principal product manager in Oracle focused on security of Java 8, joining at the height of hacks and departing after a two-year absence of zero-day vulnerabilities. During that time, he learned the details of Java at both a corporate/commercial and community level. He also assisted Turbonomic’s product management team in the data center/cloud performance automation. Erik also led product management for Fortify static code analyzer, a tool that helps developers find and fix vulnerabilities in custom source code. Erik has also published several developer courses through Packt Publishing on data analysis, statistics, and cryptography.