What is trending with DevSecOps in 2023?

“DevSecOps” – one of the trending topics this decade, of course for some it is a major milestone to be achieved in 2023. It is the next logical step once teams get compliant with DevOps. I did talk about the differences last year in my article, click here to read about DevOps & DevSecOps; there are three “E”s that needs focus when we head on the journey of DevSecOps-

1. Embrace the new culture – more collaboration between teams, especially the security team
2. Embed security principles in the pipeline – emphasise on shift left security testing
3. Evolve with feedback – listen to your teams and change course of action for the good.

And all the above is possible with the support from senior leadership who sponsor and motivate the teams to continuously practice the principles on DevSecOps. So, what is trending in this direction?

Trend 1 – Training & Upscaling – Developers are encouraged to attend training programs and learn the art of embedding security principles while building the CI/CD pipelines. In fact, teams are sponsored to get certified, this is a win-win for both the teams as well as for the organisations. For the teams, it is a great medium to upscale and become more productive. On the other hand, for the organization; their teams are learning the new norm and moving towards the culture of trust, quality, security and transparency.

Trend 2 – Collaborative teams – Certified champions from the security unit are embedded in product teams to guide the teams towards security know-hows. They get involved in their planning meetings, stand up meetings, code review meetings and contribute in every possible way to ensure that security rules are not pushed towards the right of the lifecycle; instead it is practiced at every level.

Trend 3 – Code Auditing – There is always an inclination towards using third party libraries or framework in the code to deliver faster. And hence it becomes imperative to ensure that before the actual launch, the code is thoroughly audited for any open issues. Tools like HCL AppScan, white-source (now known as mend), OWASP ZAP, etc are now practiced around the product lifecycle.

Trend 4 – AIOPs and Observability – The world in IT Operations is changing drastically. Enterprise strategies include plans to adopt, implement and practice automation wherever possible to remove human interpretations. Proactive monitoring, predictive analysis, self-healing solutions, self-servicing, and many more such milestones are now part of the strategic plan. It is an evolving journey that starts with the identification of use cases that prove to be beneficial, after all it does ask for investments in tools and people who will run the show.

Trend 5 – Cloud, Cloud and Cloud – While moving to the cloud is an easy decision, but maintaining and controlling the workloads is a never ending job. Companies have setup teams, calling them “CloudOps”, who take care of the operational demands on the cloud, they work closely with governance teams to check on the cloud costs and if possible optimise wherever possible. There of course is a bit of change in the operating model and ways of working too. Automation plays a key role to bring in quality, compliance, security; nothing gets un-noticed. Infrastructure as code (IAC) is around for over a decade and teams are finding ways to build effective pipelines for provisioning, decommissioning and tracking cloud components.

These trends are not new, their adoption is just going to span through more and more teams. There will be success and failures too but the bottom line is not to compromise on security. Security is not a siloed function, it needs to be embedded across the enterprise and by all teams.

Agree? Feel free to share your trending practices on DevSecOps!!