In 2023, organizations will focus their time and resources on the continued shift left of security, completing the evolution from DevOps to DevSecOps. GitLab Chief Marketing and Strategy Officer Ashley Kramer says that every company will need to have security tightly integrated into DevOps to combat the increased threats throughout the software development lifecycle. In addition, DevSecOps teams will have to continue to focus on supply chain security, make optimal use of artificial intelligence and machine learning, and expand their use of value stream analytics. GitLab leaders from across disciplines share these predictions and more about how the industry will change this year.
Prediction 1: Protecting the supply chain will be the top priority
Security will continue to be an organization-wide responsibility, shifting further left and spanning from the IDE to applications running in production, according to David DeSanto, Chief Product Officer.
In our 2022 Global DevSecOps survey, 57% of sec team members said their orgs have either shifted security left or are planning to this year. Half of security professionals report that developers are failing to identify security issues – to the tune of 75% of vulnerabilities.
The shift left will be driven in part by the need for tighter security for software supply chains. “As remote development becomes more and more commonplace, software supply chain security will play a more expansive role across the software development lifecycle,” DeSanto says.
Francis Ofungwu, Global Field CISO, predicts this supply chain security evolution will happen in three key ways:
The engineering frontlines will take on more ownership of managing threats in their day-to-day operations. In order to accomplish this, developers will need real-time context on vulnerabilities and remediation strategies in each phase of the software development lifecycle (SDLC), consequently reducing the likelihood of painful incidents in production environments.
Security and compliance teams will invest in transcribing their software assurance expectations into policy-as-code to reduce the manual and time-consuming security review processes that reduce development velocity.
As a result of headline-grabbing incidents highlighting enterprise risks in modern software development, organizations will build audit programs to better assess and report SDLC risks. This will require organizations to design how to deliver artifacts that prove the immutability of the controls deployed across all aspects of their development toolchain.
Organizations should also expect that “what have been best practices for supply chain security for many years, will now become regulatory requirements,” says Corey Oas, Manager, Security Compliance (Dedicated Markets). He points to artifact attestation and software bill of materials (SBOM) generation as examples of best practices that will soon become federal government or industry mandates. “Both of these are integral to developer workflows.”
Sam White, Group Manager, Product - Govern, doubles down on the SBOM and artifact attestation prediction, saying both SBOMs and attestations will need ongoing attention from DevSecOps teams. “Expect to see a shift from looking at these as one-time events to them becoming part of a continuous evaluation process,” he says, adding that organizations will need deeper visibility into software dependencies (e.g. open source packages) and more centralization of software build information.
Another element of software supply chain security is zero trust. “Organizations have considered zero trust strategies for a while, and it will be an implementation focus for them going forward,” predicts Joel Krooswyk, GitLab Federal CTO. “One reason for this movement, at least among federal agencies and their suppliers, is the recent release of the Department of Defense zero trust architecture strategy and roadmap and the inclusion of zero trust principles in several National Institute of Standards and Technology publications such as 800-207.”
Get more public sector predictions with our webcast “2022 Lookback & 2023 Predictions in Cybersecurity & Zero Trust with GitLab”
Prediction 2: Security will burrow deep into DevOps education
To mirror the transformation of DevOps to DevSecOps, DevOps training and education will include security as a key part of the curricula, White says. “Organizations will have to provide access to the training that developers need to get a baseline security knowledge, including why certain vulnerabilities are important and should be addressed right away,” he says.
Pj Metz, Education Evangelist, believes 2023 will be the year that “Shift Left principles will show up in university classrooms.”
“Already, the GitLab for Education team has seen more and more requests for information on DevSecOps, and not just in computer science and programming. Information systems students are looking to learn more about DevSecOps as well,” he says. ”Integrating security education directly into DevOps curricula will ensure that future professionals will be prepared for all aspects of DevSecOps.”
And he encourages DevOps students to ask for security to be added into their education so they will be properly prepared for the workforce.
Prediction 3: AI/ML will be used throughout the SDLC
“AI will become essential for productivity,” Kramer says. “For example, DevOps teams will integrate AI/ML to automate repetitive and difficult tasks. Ideally, this would ease the burden on developers by removing their cognitive load, decreasing the amount of context-switching they have to do, and enabling them to stay in the flow of development."
According to our 2022 Global DevSecOps survey, 62% of respondents practice ModelOps, while 51% use AI/ML to check code.
“Combining digital transformation with business analytics and AI - real transformations are possible,” says Christina Hupy, Sr. Manager, Community Programs. “As more of their data is input, businesses can draw actual insights and use AI to continuously improve their systems.”
DeSanto agrees and predicts that AI-assisted workflows will gain popularity in application development. “AI/ML will further enable rapid development, security remediation, improved test automation, and better observability,” he says.
Taylor McCaslin, Group Manager of Product for Data Science, says that while AI/ML certainly isn’t new, making technologies such as open-ended AI accessible to consumers, set an expectation to figure out how it could be better used in software development (think code completion and other such tasks).
He predicts that while AI/ML will be used all along the SDLC, organizations will grapple with privacy concerns, preserving intellectual property (such as AI-generated code ownership) and permissiveness of licenses for training data sets and algorithms.
At the same time, he says to look for “more rapid development in the MLOps and DataOps spaces to help developers manage, maintain, and iterate on production software systems that leverage ML and AI.” (Note: GitLab is investing in our ModelOps stage to help support the development of data science-enriched software within the GitLab platform.)
Prediction 4: Value stream analytics will take on a greater role in organizations
The digital transformation that organizations will undergo this year will require a deeper commitment to examining value streams. “Value stream analytics will extend past development workflows to provide a more holistic view of the value organizations deliver to their users (both internal and external),” DeSanto says.
Executive leadership will seek out metrics that give insight into how digital transformation and technological investments are delivering value and driving business results. This is a shift from solely focusing on development efficiencies. The 2022 Global DevSecOps survey found that 75% of respondents are either using a DevOps platform or plan to move to one within a year with one of the drivers of this change being metrics and observability.
Prediction 5: Observability will shift left for efficient DevSecOps
Observability will also move further left in the SDLC, according to Michael Friedrich, Senior Developer Evangelist. “Observability-driven development will enable everyone to become more efficient and inspire innovation," he says.
New observability-enabling technologies like eBPF will help developers with automated code instrumentation instead of adding more workload with manual code instrumentation. eBPF also supports better observability and security workflows in cloud-native environments.
Observability will play a critical role in improving the efficiency of DevSecOps workflows, including CI/CD, infrastructure cost analysis, and trending/forecasting for better capacity planning.
What do you think will be the big DevSecOps technology advancements this year? Let us know your predictions in the comments below.
Engage with DevSecOps experts
Want to dig deeper into how to innovate while still keeping an eye on cost efficiencies? Sign up for our webcast “GitLab’s DevSecOps Innovations and Predictions for 2023” on Jan. 31 to get expert advice and insights about this era of DevSecOps transformation and the tools and strategies you’ll need to meet this challenge.