Most developers don't pitch in to help alleviate application security and quality challenges -- at least not directly. Application security falls outside development in traditional roles and responsibilities, a scenario that could be at fault for high-profile breaches now and in the future.
Industry leaders, particularly in security-sensitive markets like financial services, will find ways to continue to push security consciousness to programming culture. Expect this software development trend to gain traction in 2020.
Take the example of Netflix, which makes developers responsible for fixing quality and security defects on all code that they create. When developers have greater responsibility, they also need greater freedom to adopt their own toolsets.
The need to remediate basic application security problems in development will motivate developers to explore different tools and learn more about secure software patterns in 2020. Some tools -- check out IDE plugins from the likes of Contrast Security, Secure Code Warrior, Semmle and Veracode -- can help developers identify security vulnerabilities and coding defects in software libraries.
Enterprise architects will help in this effort too, building application security and defect testing infrastructure that makes it harder for developers to deploy defective or insecure code. They can also set up a way to automatically generate new tickets for developers to update applications when someone discovers vulnerabilities in existing libraries. This effort requires architects to inventory libraries that are in production, as well as vet known good libraries for developers.
Additionally, expect QA teams to work with developers to create tools that automatically test new applications. Thus, developers can identify defects before they push an app out to build. QA teams might also invest in increasingly autonomous testing tools to improve the prioritization of test coverage.
Expect enterprises to make greater use of AI to analyze new source code for defects earlier in the development cycle than established testing steps. As vendors improve the quality of static analysis features, AI can augment it and identify errors that don't show up in other code evaluation approaches.
Companies will undertake DevSecOps to improve the collaboration between security, QA and developer teams across the SDLC in 2020. This approach embeds security and QA professionals with development teams, but it's more than communication. DevSecOps helps reduce security overhead, as developers can focus on a relevant set of security requirements, rather than a generic list. Security analytics tooling can provide an assist through log analytics and AI to identify threats.
George Lawton is a journalist based in San Francisco.