Cloudy with a Chance of Malware – What’s Brewing for DevOps?
As 2023 gets into high gear in the coming months, the cloud native ecosystem is set to reinforce its core business value across enterprises to become even more mission critical to the digital economy. By contrast, embedding security into the DevOps methodology is still evolving, leaving specific predictions about the future of DevOps engineering open to question.
However, in our opinion, a few trends are more than likely to shape the cloud native security landscape in the coming year:
1. Cloud Native Security: Forrester expects more enterprises to adopt cloud native technologies as they increasingly opt to run workloads in containers rather than legacy virtual machines. As such, 40% of organizations will take a “cloud native first” strategy in 2023, as they look to increase agility and efficiency while reducing costs, but security will continue to be a major concern.
As more organizations adopt container and Kubernetes technologies, there will be a corresponding growth in the development of tools and practices for securing these environments, prompting DevOps to respond more thoughtfully to security.
Threat actors will unleash iterations of malware designed to break cloud native environments. Developers will feel a greater need to incorporate security earlier in their application development cycle. And therefore, as 2023 unfolds, the industry will see DevOps increasingly evolving into DevSecOps. New security standards will solidify into actionable best practices, greater adoption of cloud native security tools and increased focus on zero trust as a security principle.
2. Containers and Kubernetes Security: Securing containerized applications and Kubernetes will be a priority this year due to adoption going mainstream. There will be a greater focus on integrating Kubernetes security with broader cloud security frameworks, including integrations with cloud-based identity and access management systems and cloud-based security event and incident management systems. Securing the Kubernetes control plane is critical to the overall security of the cluster, and it will become an increasingly important focus for Kubernetes security practitioners. Policy-as-code for Kubernetes is expected to mature and gain greater traction. This year, dozens of leading organizations will embrace Open Policy Agent (OPA) in their Kubernetes deployments. We also believe thatDevSecOps will welcome observability solutions in the cloud native security marketplace. These solutions pull data from events, logs, telemetry and traces together into a comprehensive yet aggregated view from which to quickly figure out troubleshooting issues in Kubernetes.
3. Serverless Computing and Security: Serverless computing is relatively new to the cloud native landscape. Despite its ability for adaptation and integration, it lacks standardization and interoperability. The resulting risk of vendor lock-in has left many enterprises stalled in their adoption journey even as serverless computing continues to pique the interest of developers for event-based workloads. To bridge the gap and broaden adoption across vendor-agnostic functions, we will witness disruption in this space with the Google-sponsored Knative project. The open source, enterprise-level Knative framework will ensure standards are shared across different serverless Function as a Service (FaaS) implementations, thereby raising the bar on interoperability. Another disruption to serverless is an emerging concept called “infrastructure-from-code” (IfC) as a way of creating applications that allow your cloud provider to inspect the application code during deployment, then automatically provision the underlying infrastructure the application code needs.
Further, as the complexity of serverless environments increases, automating security policy enforcement and leaning on AI/ML techniques to improve the accuracy and efficiency of SecOps will take precedence. Expect to see an increased emphasis on securing the function code and runtime environment with measures such as code signing and verification along with hardening runtime environments to prevent malicious code injection.
4. API Security: Gartner predicts that this year over 50% of business-to-business transactions will be performed through real-time APIs. By 2025, less than 50% of enterprise APIs will be managed, with the growth in APIs surpassing the capabilities of API management tools. While REST- and HTTP-based services remain the most popular API architecture styles, use of them will continue to level off as this year progresses as newer event-driven API architectures such as GraphQL and gRPC are growing in popularity.
That said, the ubiquity of APIs will exacerbate sprawl issues this year. The sprawl of APIs within and between cloud native infrastructures has made API security one of the biggest challenges for DevOps today. This also means that unmanaged APIs will become a popular target for cybercriminals who can use them as gateways to gain unfettered access to sensitive data. In pursuit of this data, cybercriminals will put more focus on vulnerable API endpoints that connect directly to an organization’s underlying databases. Expect to hear more about damaging attacks on individual APIs that lead to data leakage.
When it comes to the banking and financial services industry, we would be remiss to not overemphasize that API security should be their single most important cybersecurity priority this year. Newly minted APIs will continue to overrun modern banking apps, causing a continuous widening of the attack surface across this vertical.
5. Software Supply Chain Security: If what the industry has witnessed in the past three years is any indication, cyberattacks on software supply chains will only increase in both frequency and severity throughout this year, as they have in previous years. Gartner predicts that by 2025, 45% of organizations will experience attacks on their software supply chains, which will be three times as many as in 2021. Software supply chain (SSC) security is a key priority in 2023, as organizations contend with an onslaught of attacks. From open source and third-party software libraries to developer user accounts and log-in credentials to components required to build, package and sign software — every element of the software supply chain will be subject to attack.
That said, new federal mandates and industry guidance intended to address supply-chain risks will put new pressure on enterprises this year to adopt established and evolving best practices that address SSC security.
And consequently, software component management tools used to track and manage open source software components that developers use will become important. Developers will embrace them to identify and address any vulnerabilities that may be present in their software bill of materials or SBOMs.
It is imperative for enterprises of all sizes and geographies to adopt a cloud native application development model, one that supports the development of modern apps built to meet the needs of the modern user. But, for your modern app to yield unprecedented efficiency, scale and value, the single biggest enabler in 2023 is security.
Cisco’s Panoptica solution protects the full application stack from code to runtime by scanning for security vulnerabilities in the cloud infrastructure, microservices (containers or serverless), the software bill of materials, and the interconnecting APIs. And best of all, it integrates with the tools that your application development and SecOps teams are already using. To learn more about Panoptica, visit us here or sign up here to try it for free.