From Infrastructure as Code to GitOps and serverless architecture, the top DevSecOps trends in 2022 will continue to enable teams to automate, streamline their CI/CD pipelines, and make time for innovation.
As businesses take steps to innovate faster, software development quality—and application security—have moved front and center. This is fueling key DevSecOps trends in 2022.
In order for software development teams to balance speed with quality during the software development cycle (SDLC), development, security, and operations teams (or DevSecOps teams) need to ensure that their practices align with modern cloud environments. That can be difficult when the business climate can prioritize speed.
Indeed, according to one survey, DevOps practices have led to 60% of developers releasing code twice as quickly. But increased speed creates a tradeoff: According to another study, nearly half of organizations consciously deploy vulnerable code because of time pressure.
DevSecOps teams can address this unsettling tradeoff by automating processes throughout the SDLC, centralizing application configuration with a shared set of tools, and using observability platforms to gain visibility into code-quality lapses, security gaps, and other software development issues.
Incorporating DevSecOps practices can bring security, compliance, and development discipline to organizations seeking to move faster without sacrificing code quality: According to one survey, 96% of respondents said their organization would benefit from automating security and compliance processes, a key principle of DevSecOps.
DevSecOps adoption is on the rise, though still emerging as a best practice for developing secure, high-quality code. According to GitLab’s 2021 Global DevSecOps Survey, 36% of respondents develop software using DevSecOps, compared with only 27% in 2020.
As DevSecOps practices gather steam in 2022, there are several concurrent technology trends that will likely further DevSecOps adoption. These DevSecOps trends will also aid teams as they integrate security and compliance into processes without slowing innovation or creating additional work for already time-strapped teams.
1. Increased adoption of Infrastructure as code (IaC)
IaC, or software intelligence as code, codifies and manages IT infrastructure in software, rather than in hardware. As a result, developers and operations teams can automatically manage, monitor, and provision IT resources through software code rather than manually configure one device after another. Infrastructure as code is also known as software-defined infrastructure, or software intelligence as code.
According to a Gartner report, “By 2023, 60% of organizations will use infrastructure automation tools as part of their DevOps toolchains, improving application deployment efficiency by 25%.”
Codified infrastructure accelerates DevSecOps practices and adoption. Enshrining infrastructure in code provides a foundation for automation and testing—both of which are crucial for DevSecOps. It does so by creating repeatable, automated software-driven processes.
IaC benefits teams by enabling the same deployment to be replicated infinitely by executing the code multiple times, so it frees DevSecOps’ teams time to work on other projects. The amount of effort and time saved is magnified depending on how many times the infrastructure needs to be replicated.
Another key benefit of IaC that can accelerate DevSecOps adoption is reducing human error. A key component of DevSecOps to enshrine process in code—to ensure that the process is executed correctly despite the myriad complexities that arise during the delivery of software. With IaC enable DeSecOps teams to institutionalize these processes in code, ensuring repeatable, secure, automated, and efficient processes.
2. Mounting attacks via vulnerable third-party code
As cyberattacks continue to escalate, organizations may find themselves vulnerable via third-party code or code libraries that they have incorporated into their proprietary software. In December of 2021, for example, Log4Shell highlighted the importance of organizations to monitor code in development and production but also the code of their partners and customers.
Log4Shell enables an attacker to use remote code execution to engage with software that uses the Java logging library Log4j versions 2.0 and 2.14.1. In December 2021, many organizations were forced to take devices and applications offline to prevent malicious attackers from gaining access to networks and sensitive data. In the ensuing days and weeks, many DevSecOps teams needed to identify the presence of Log4J throughout the development cycle (from development to runtime).
“Wise developers don’t reinvent the wheel: they use existing libraries and/or frameworks,” wrote Nicolas Fränkel in the article You’re running untrusted code! “From a security point of view, it means users of such third-party code should carefully audit it. We should look for flaws: both bugs and vulnerabilities.”
The next major security vulnerability may share similar properties with Log4Shell. As a result, organizations should enlist observability platforms to scrutinize their IT landscapes and identify at-risk code.
3. AIOps for root-cause analysis becomes critical
As cloud complexity grows, managing these environments with manual processes becomes impossible to sustain. For DevSecOps teams to regain control, it’s increasingly important to enlist automation to capture observability data and harness AIOps (AIOps applies AI to IT operations).
By analyzing data on activity in real-time, teams can unlock the insights developers need to accelerate innovation.
As Forbes noted, AIOps is “moving from marketing hype to a useful tool being adopted across the enterprise.” Broader business deployment stems from increasingly sophisticated AI algorithms and the growing speed at which AI can discover new data relationships. The ability to identify the root cause of IT issues in real-time—and in some cases to provide automated remediation—has become critical for DevSecOps teams.
This real-time analysis is key as teams integrate security verification to test code in development and continually identify new security vulnerabilities in production.
4. Weighing ML-based observability vs. AIOps
Not all software intelligence is created equal. Another trend is weighing machine learning (ML)-based approaches to observability vs. AIOps-enabled capabilities.
With ML-based approaches, data needs to be trained to understand normal behavior and what is anomalous. Teams need to verify the data modeling, which siphons time and effort from DevSecOps teams trying to accomplish strategic work.
AIOps, conversely, is an approach to software operations that combines AI algorithms with data analytics to automate key tasks and suggest precise answers to common IT issues, such as unexpected downtime or unauthorized data access. Unlike ML-based approaches, AIOps doesn’t require training of data. With AIOps, algorithms observe events in context. That precision and autonomy reduce the burden on IT teams in two ways: they can offload routine monitoring and management tasks, which enables them to focus on more mission-critical concerns.
Moreover, ML-based approaches merely identifies relationships between a problem and suggested solutions, whereas AIOps provides precise answers to precisely identified problems.
5. GitOps becomes the new normal
GitOps is a framework of practices that manage infrastructure and application configurations using Git, an open-source version control system. As a result, Git becomes the single source of truth and control mechanism for creating, updating, and deleting system architecture dynamically. Because GitOps enables automation, it advances the principles of Infrastructure as Code.
GitOps uses pull requests to verify and automatically deploy system infrastructure modifications. Centralizing as many of these configurations in one place as possible allows teams to harness greater control.
As more organizations move to continuous integration and continuous delivery (CI/CD), they have more opportunities to implement GitOps. This approach enables teams to apply automation to their testing, delivery, deployment, and governance. GitOps also streamlines infrastructure tasks and workflows.
6. Kubernetes infrastructure evolves
Central to these DevSecOps trends and any digital transformation journey is Kubernetes. Kubernetes is an open-source platform that orchestrates the management, deployment and scaling of containers (a unit of software that packages code and all its dependencies).
With this package of components, an application can quickly and reliably move from one computing environment, such as testing, to another. Kubernetes empowers organizations to be more productive as they develop applications.
Kubernetes containers enable multiple teams to work on different facets of a project simultaneously. With containers, teams can manage resources, fix bugs more quickly, and shorten work cycles.
Kubernetes has changed the way organizations develop applications. It also enables developers to be responsive to changing customer requirements while enlisting shared resources on various cloud platforms. Adopting Kubernetes can result in a massive boost to efficiency and makes building, testing, and deploying easier in DevSecOps pipelines.
7. Serverless architecture expands
Serverless computing is an application building and hosting model based in the cloud that enables companies to consume resources on-demand. Serverless architecture becomes compelling for teams that want to build, manage, and scale applications without managing all the underlying infrastructure. With a serverless model, a cloud provider manages the infrastructure and provides tools for building applications modularly.
Delegating the task of infrastructure management to a cloud provider enables organizations to scale dynamically. Going serverless can also be more cost-effective than managing infrastructure on-premises. Organizations pay only for the resources they use. Because cloud providers host the infrastructure, serverless computing also improves disaster recovery and IT system resilience.
8. Microservices gain ground over monolithic app development
Microservices go hand-in-hand with serverless computing. Instead of developing monolithic applications, which are time-consuming and costly to develop and test, teams can break into independent units, enabling flexibility. As a result, teams can eliminate the confines of traditional application development.
By breaking services into modular pieces, organizations can benefit from more flexible, incremental development to suit business units’ needs. And when problems arise, microservices enable developers to work on the problem in a contained way rather than disrupt the entire application. This kind of modular application development helps DevSecOps teams stay agile and flexible while also attending to code quality and security.
Digital transformation will further DevSecOps trends in 2022
Ultimately, 2022 will be a year of accelerated DevSecOps adoption and process maturation. It’s almost a matter of survival for companies making efforts to digitally transform. To navigate these DevSecOps trends and innovate faster without sacrificing security and product quality, teams need modern, automated platforms to reduce friction in the software development lifecycle, enable collaboration between teams, and automate processes that ensure quality control.
Learn more about DevSecOps and how Dynatrace can help you get there from the ebook, Cloud application security: The next generation.