2022 DevSecOps in ReviewNovember 29, 2022 Tweet
As 2022 comes to an end, Deb Radcliff highlights some of the trends we covered in Shift Left Academy and how those trends may influence DevOps in 2023.
For the second year in a row, our site has been selected as a finalist in Best DevOps Related Video Series for the #DevOpsDozensAwards. We owe that recognition to the experts who shared their knowledge, starting with our 2022 predictions by an expert Panel. In it, MITRE’s Tracy Bannon, NCC Group’s Mario Andrés Alvarez Iregi, and Aquia Security’s Chris Hughes predicted that software supply chain and open source repositories would drive SBOM adoption and operationalization across the code lineage. Bannon also discussed the rise in Artificial Intelligence in development and in securing development processes.
How did their predictions play out in 2022? Pretty much on target.
- SBOM Operationalization: We witnessed the rapid proliferation of tools, procedures, practices, attestations, exchanges, taxonomies and standards driven by software supply chain and open-source risks made painfully public by the SolarWinds case, followed shortly thereafter by exploits in the Log4j open-source logging tool for Apache servers. Meanwhile, the Office of Management and Budget recently gave government agencies one year to collect attestation from all of their vendors that they currently use and are planning to do business with.
Prediction: expect this government mandate to impact private sector customers who will demand the same level of accountability and visibility into the code they’re buying.
- Standards Bodies Rise to the Occasion: Standards bodies are farther ahead than our experts predicted. NIST is now a go-to for supply chain security risk management, for example. Meanwhile, several groups, such as the IETF and MITRE are working on common taxonomies for attestation, while CISA has opened working groups to enable SBOM implementation, workstreams, on-ramping, and data sharing exchanges to name a few.
Prediction: The issue for 2023 will be sorting through standards confusion and getting the private and public working groups to work together.
- The rise of autonomous systems: Automotive systems are essentially software-driven today and will be increasingly autonomous in the future. So, the Automotive ISAC is working to standardize SBOMs for automotive manufacturers. (Check out GrammaTech’s whitepaper on MISRA automotive industry software compliance.) And, in another Shift Left webcast, Dr. Ikjot Saini, discusses her work at the University of Windsor SHIELD Automotive Cybersecurity Center of Excellence.
Aerospace, particularly spaceflight, has its own sets of issues, such as the limited bandwidth and power of remote computing systems. But because they are coded in basic languages C and C++, they can stand the test of time and distance, says Dr. Guillaume Brat, lead for Robust Software Engineering at NASA’s Ames Research Center in California’s Silicon Valley. As standards catch up with aerospace software programs, he expects automobile standards like MISRA and AUTOSTAR to influence its transportation brethren.
Prediction: In 2023, expect greater regulatory scrutiny on increasingly autonomous, OT-based systems.
- Artificial Intelligence: While DevOps teams will be coding for intelligent devices, their development tools and platforms are also incorporating advanced intelligence into their scanning and testing programs. This GrammaTech Whitepaper explains how the two can work together to power and secure autonomous devices.
Prediction: To coders and developers OF AI, the issues will be bias and interplay between product capabilities. For developers USING AI to engineer, write, and release secure code with accurate SBOM attestations, read the fine print and be sure to test before you buy any tool sets.
Open-source repositories will continue to be problematic in 2023 and beyond, as attackers weaponize open-source components and buyers demand more visibility into commercial software. SBOMs will help with the latter, but it will be up to developers and repository managers to keep the code components clean. This will, in turn, lead to more security tooling and automation next year and beyond.
Before you go, please vote for Shift Left Academy: https://devopsdozen.com and following it to the video category. Judging ends December 31. 🏆