Some predictions are more accurate than others. Last year, I was sure that serverless would finally overtake containers—but then 2018 turned out to be the year of Kubernetes. In the San Francisco Bay Area, you couldn’t throw a rock without hitting an engineer talking about Kubernetes (or cryptocurrency, but let’s not go there.) That’s not stopping me from offering a fresh batch of hot-off-the-press predictions about DevOps and DevSecOps for 2019.
It’s finally the year of serverless… we mean it this time
People who’ve spent a good part of the last year dealing with containers and Kubernetes will finally realize that they haven’t alleviated any of their real operational burden. This is because of the axiom: operational burden is neither created or destroyed, it is merely transferred. But here’s the thing: serverless adds simplicity and a new economic model to cloud computing. And there are four key areas to apply serverless — the software supply chain, the delivery pipeline, data flow, and attack detection.
In 2019, the industry will realize that following in the footsteps of giant tech companies like Google is not working out the way that they hoped, and that their time is better spent investing in using serverless architectures instead.
Enterprise companies take up the DevSecOps mantle
Security will finally blend with DevOps in the most unlikely of places: the enterprise! Since the original blending of dev and ops into DevOps first took root at Silicon Valley darlings and hipster startups, one might think that security and DevSecOps would follow a similar path. However, security is not a problem that small companies have the resources to tackle.
Instead, the lead innovators in DevSecOps will be Fortune 500 companies that face complex regulatory and compliance issues and as a result have security resources in spades. We’ve already seen incredible progress at companies like Capital One and Intuit, and in 2019 we’ll see even more.
Security stops using training as a defense mechanism
Security’s longest-running trope is that training is the best defense. In the eyes of many organizations, the solution to security’s inability to keep up with modern development and engineering practices is to train developers to write code with no security vulnerabilities. This is, of course, ridiculous: you can’t teach humans to write code without errors, much less rely on this training as a reliable detection mechanism. While training is a valuable—but small—part of any good AppSec program, it shouldn’t be seen as a first-line defensive measure. In 2019, we’ll move away from training and focus on implementing instrumentation that provides security telemetry and increases observability in the system.
Application security becomes more about the application
This is a complete repeat from my predictions article last year, but that’s because I see this one actually coming true! The perennial web application security checklist is to avoid XSS, SQLi, and the rest of the OWASP Top 10. In 2019, application security will finally shift from language and framework vulnerabilities to conversations around how applications are actually getting attacked. In the new year, the conversation will hinge on account takeovers, fraud detection, and abuse inside the application. This is good for the industry, since we’ll move past automatic scanning by adding real instrumentation to detect bad actors.
DevOps continues to grow in the enterprise
When it comes to DevOps—people are starting to take notice. For a while now, those involved in the day-to-day technical aspects have been loving the collaboration between teams, providing room for automation, enhanced time-to-market, you name it. But now, the DevOps or DevSecOps movement has made major headway among enterprises in the past few years, and 2019 is a crucial time for leaders to plan for and implement it across industries. Among the C-Suite, there is growing acknowledgement of the fact that the role of DevOps is evolving — from driving efficiency to being a catalyst for innovation, all while delivering world-class stability, reliability and security.
There is some relatively uncharted territory ahead, but the changes we’re going to see in 2019 will potentially lead to huge gains to be had both for us as practitioners and for businesses in the year ahead.