Software delivery lifecycle security predictions from OpsMx
Wednesday, December 20, 2023
Richard Harris |
Gopinath Rebala shares his software delivery lifecycle security predictions, including that attackers will find new areas to exploit in the delivery and deployment stages, customers will start demanding proof of security compliance, and the impacts GenAI will bring, both good and bad.
Heading into 2024, enterprises face mounting security concerns related to data breaches, evolving privacy regulations, and their increasing reliance on the cloud and software service providers. As such, they are under increasing pressure to secure the software delivery lifecycle and better understand where the threats are coming from and what their vulnerabilities are. With that in mind, here are three predictions related to how security challenges in the software development industry - and responses to them - will change in the coming year.
1. As security defenses shift left, attackers are shifting right
As threats have evolved over the last several years, the security mindset has shifted left, focusing on preventing attacks by increasing developer awareness of security issues and enforcing security policies during the earliest stages of the software development lifecycle. Today, as vulnerabilities are eliminated on the left, attackers are getting creative and moving right to find new areas to exploit in the delivery and deployment stages of the lifecycle. As a result, enterprises can’t focus on just the latest threat vector that makes headlines or run their code scan and declare an application "secure."
In 2024, we expect to see more attention to the end-to-end “code to cloud” software development lifecycle, including security risks and attack vectors in the steps between build and deployment.
2. Customers are demanding "show," not "tell," for proof of software security compliance
As a result of the many high-profile attacks on software providers, in 2024, we will increasingly see end-user customers pushing back on vendors who simply list their ISO and SOC certifications. Enterprise customers will want to see under the hood into both vendors’ code and operations. Customers will want to know how vendors handle network isolation, how they handle vulnerability management, etc. They will start putting the requirements into their contracts for process compliance, auditability, and enforcement, such as through a software bill of materials (SBOM).
We see a parallel to this with ESG reporting where consumers are demanding proof of sustainable practices across a product’s entire supply chain. However, with software security, the stakes are even higher, with material security risks to customers and business risks to vendors from lost deals.
3. Generative AI brings better security protection and new security threats
Many organizations have a highly fragmented security stack generating siloed security data. The amount of data being produced everywhere by software systems - applications, sensors, storage systems, load balancers, CI/CD systems, identity management systems, etc. - makes manual analysis and reporting impractical. In 2024, we will see the application of Generative AI (GenAI) to solutions that can instantly summarize huge amounts of information across tools and systems to enable security teams to ask questions in natural language to understand their security posture and respond to incidents.
GenAI is also likely to be a powerful new attack vector. We will likely see the rollout of inadequately vetted code generation solutions or multiple solutions that don’t work well with each other, introducing new security exposures. For example, a generated code snippet might include a MySQL injection vulnerability that is missed by other AI-powered tools and can therefore be exploited in production. Preventing this will require a new single, centralized security layer that can itself leverage GenAI to review every aspect of generated code before permitting it into production environments, create new policies to reduce the possibility of GenAI-based threats, and eventually understand how to prevent such attacks.
Conclusion
Once something of an afterthought in the software delivery lifecycle, security must now be part of every software development decision, workflow change, and tool update or replacement. By closely following the trends related to evolving attack vectors, customer demands for more transparency in software development processes, and the impact of generative AI, enterprises can make smarter decisions in 2024 related to protecting their systems, people, and customers.
About Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures of OpsMx Enterprise for Spinnaker. Rebala also has a strong connection with our customers, leading design and architecture for strategic implementations.
Become a subscriber of App Developer Magazine for just $5.99 a month and take advantage of all these perks.
MEMBERS GET ACCESS TO
- - Exclusive content from leaders in the industry
- - Q&A articles from industry leaders
- - Tips and tricks from the most successful developers weekly
- - Monthly issues, including all 90+ back-issues since 2012
- - Event discounts and early-bird signups
- - Gain insight from top achievers in the app store
- - Learn what tools to use, what SDK's to use, and more
Subscribe here