DevSecOps trends in 2021
Developers have a lot on their plates already, yet security is shifting left to the developer. I talked to several CISOs & security engineers about their DevSecOps culture, and here are some things I heard. This was originally written on Twitter (@reneeshah123).
- Security and quality are the last two major silos in technical organizations. Data used to be a silo, but that’s changing. Security can’t scale if it’s siloed. Thus, the only option is to go mainstream.
- Security engineers are on the rise, and they’re becoming important buyers of software. Security engineers should join Platform Engineering teams and set standards for security across the org.
- Security tools need to focus on developer productivity. Developers want to ship new features fast. Security can only be a byproduct of this goal. The best products combine security & developer productivity.
- Supply chain security is a top priority. Data privacy is a top priority. Fixing misconfigurations is a top priority. All are areas where developers and security can work together in 2021.
- Discovery of vulnerabilities is pretty commoditized. The scanner is commoditized. However, build a single pane of glass for all alerts and prioritize them within the developer workflow. Workflow is everything.
- Security will shift farther left in the software development lifecycle. The earlier the better for developers. What other security measures can be added within the IDE? What more can be added at commit?
- There is still a cultural clash between security and developers, but startups are closing this. Security is UI-focused, closed-source, expensive, top-down sale. Developers are open source, API-first, CLI-first, simple to deploy.
- Our goal in the future is never to touch production. We don’t want to interrogate systems. We want to interrogate code. We want prior knowledge of all our assets and their vulnerabilities.
- Security should encourage killing instances instead of fixing them. This is easier than blasting tickets to everyone.
- We want to delete more code in 2021. If we delete code that we’re not using, we don’t have to patch it. Hopefully this is a win for everyone.
As always, I’m keen to hear other points of view. If you work in security, feel free to reach out to chat!