2024 predictions: Security, AI, developer retention and the road ahead
2024 predictions: Security, AI, developer retention and the road ahead
We’ve hit that time of the year. The time to reflect on everything that’s happened, what we thought would happen and didn’t, lessons learned and what we expect will shape the decisions, actions and outcomes over the next 12 months.
Challenging economic dynamics, emerging cybersecurity threats, and society’s most accessible introduction to AI to date, shaped what was an interesting 2023 for DevSecOps. Even more curious – none of these elements are in the rearview mirror as we turn the page and head into 2024. They are front and center for organizations, their developer and cybersecurity teams, and government regulators.
As priorities shift at a rapid pace, here are the top predictions Secure Code Warrior sees unfolding in the next 12 months:
Organizations will place a premium on developer retention
Developers deliver immense value to organizations and their customers. Now it’s on the organizations to demonstrate their value and appreciate what the developer can do for their bottom line. More investment will be made in retention strategies, programs and other efforts to ensure developers are more empowered to make their current employer their long-term career destination. Learning and development will be a huge differentiator for these enterprises.
More asks of developers will put content and integrations at centerstage.
The pressures placed on developers will not let up anytime soon, knowing organizations want more software, and continuous digital transformation to get into the hands of their customers sooner. For developers to stay sharp, anticipate emerging roadblocks in software development life cycles (SDLC) and have access to more resources to accelerate innovation - more learning content and third-party integrations will be of paramount importance.
AI tooling is the new Stack Overflow
The same way developers go to Stack Overflow or open source forums to seek help, developers will start turning to AI tools. However, this creates a false sense of security. Developers will use AI as a “help channel,” but organizations will realize that this approach is not enough.
AI remediation is here to stay
AI is not replacing the developer tomorrow, but the technology is becoming more embedded in the software development life cycle (SDLC), creating a more foolproof process to avoid introducing vulnerabilities, or to identify a compatible fix. We’re bound to see more experimentation throughout the year that will inevitably bring about a change in developer behavior, organizational investment, staffing re-allocation and new approaches to cybersecurity risk management.
AI reliance + API explosive growth = regulatory measures
The number of companies fueling their businesses through the accelerated creation and enablement of APIs has significantly expanded the API threat vector. With the propensity of AI usage to exponentially increase the speed at which APIs are created and launched, greater governance for API security will need to be a focus – and new regulatory measures are sure to be introduced.
More consequences for software vendors who don’t ship secure code
CISA Director Jen Easterly has made it abundantly clear that software vendors should not be permitted to “pass the buck” when it comes to security within their products. While CISA’s powers only extend so far - helping to enforce Secure-by-Design practices to vendors that sell to federal agencies - The MOVEit incident earlier this year reaffirmed that large software vendors need to hit and exceed a new benchmark. There needs to be more accountability and more consequences to enforce for repeat offenders who ship insecure code.
2024’s OWASP Top 10 will show a renewed focus on design flaws
Speaking of Secure-by-Design, In 2021, OWASP introduced the “Insecure Design” category, focusing on the shift towards architectural security issues and flaws. As we anticipate their upcoming Top 10 list (most likely in 2024), there will be greater, executive-level conversation around the difference between insecure design and insecure implementation, with an emphasis on teams developing a secure software development life cycle (SSDLC), including a complete threat modeling procedure that supports critical authentication and access control configuration.
DevSecOps vendors will need to prove specific ROI to target different executive buyers
In order to sell to multiple groups in a competitive sales cycle, vendors will need to tailor conversations to different areas of the business. Traditionally, security vendors primarily sell to CISOs or security leadership. In 2024, there will be a greater need for the ability to prove risk reduction in increasingly specific contexts for executives across L&D and DevOps/AppSec – in addition to Security/CISOs.
“Gatekeeping” will be the ticket to security maturity in software development
CISOs remain under scrutiny to prove the business value of cybersecurity efforts, as well as the effectiveness of their program over time. Developers will increasingly need to prove they are security-aware before being given projects with sensitive repositories. CISOs who adopt a “gatekeeping” standard and prioritize secure coding from the start of the software creation process will better position their teams for security excellence.
Reactive security will be seen as old school
As the goal of increased cyber resilience continues to dominate cyber strategies across multiple verticals, those who rely on reaction and incident response as the only core tenets of their plan will find themselves in a place of unacceptable exposure and risk. “Shift left” needs to be more than a rapidly aging buzzword; code-level security should be prioritized, alongside upskilling and verifying the competence of the developers working on the software and critical digital infrastructure we take for granted. Now, more than ever, governments and enterprises alike must commit themselves to a preventative, high-awareness security program in which every member of staff is enabled to share responsibility.
As the leader in secure coding education and implementation, we’re excited for the year ahead and collaborating with our 600+ customers to get ahead of these evolving dynamics. What does your 2024 look like and how can Secure Code Warrior help?
Interested to learn more? Follow us on X and LinkedIn to stay up-to-date on all announcements.
Interested in learning more?
Secure Code Warrior is here for your organization to help you secure code across the entire software development lifecycle and create a culture in which cybersecurity is top of mind. Whether you’re an AppSec Manager, Developer, CISO, or anyone involved in security, we can help your organization reduce risks associated with insecure code.
Secure Code Warrior
Secure Code Warrior builds a culture of security-driven developers by giving them the skills to code securely. Our flagship Agile Learning Platform delivers relevant skills-based pathways, hands-on missions, and contextual tools for developers to rapidly learn, build, and apply their skills to write secure code at speed.
Related Articles We Recommend
Related Articles We Recommend
Dive into onto our latest secure coding insights on the blog.
Our extensive resource library aims to empower the human approach to secure coding upskilling.
Get the latest research on developer-driven security
Our extensive resource library is full of helpful resources from whitepapers to webinars to get you started with developer-driven secure coding. Explore it now.
2024 predictions: Security, AI, developer retention and the road ahead
We’ve hit that time of the year. The time to reflect on everything that’s happened, what we thought would happen and didn’t, lessons learned and what we expect will shape the decisions, actions and outcomes over the next 12 months.
Challenging economic dynamics, emerging cybersecurity threats, and society’s most accessible introduction to AI to date, shaped what was an interesting 2023 for DevSecOps. Even more curious – none of these elements are in the rearview mirror as we turn the page and head into 2024. They are front and center for organizations, their developer and cybersecurity teams, and government regulators.
As priorities shift at a rapid pace, here are the top predictions Secure Code Warrior sees unfolding in the next 12 months:
Organizations will place a premium on developer retention
Developers deliver immense value to organizations and their customers. Now it’s on the organizations to demonstrate their value and appreciate what the developer can do for their bottom line. More investment will be made in retention strategies, programs and other efforts to ensure developers are more empowered to make their current employer their long-term career destination. Learning and development will be a huge differentiator for these enterprises.
More asks of developers will put content and integrations at centerstage.
The pressures placed on developers will not let up anytime soon, knowing organizations want more software, and continuous digital transformation to get into the hands of their customers sooner. For developers to stay sharp, anticipate emerging roadblocks in software development life cycles (SDLC) and have access to more resources to accelerate innovation - more learning content and third-party integrations will be of paramount importance.
AI tooling is the new Stack Overflow
The same way developers go to Stack Overflow or open source forums to seek help, developers will start turning to AI tools. However, this creates a false sense of security. Developers will use AI as a “help channel,” but organizations will realize that this approach is not enough.
AI remediation is here to stay
AI is not replacing the developer tomorrow, but the technology is becoming more embedded in the software development life cycle (SDLC), creating a more foolproof process to avoid introducing vulnerabilities, or to identify a compatible fix. We’re bound to see more experimentation throughout the year that will inevitably bring about a change in developer behavior, organizational investment, staffing re-allocation and new approaches to cybersecurity risk management.
AI reliance + API explosive growth = regulatory measures
The number of companies fueling their businesses through the accelerated creation and enablement of APIs has significantly expanded the API threat vector. With the propensity of AI usage to exponentially increase the speed at which APIs are created and launched, greater governance for API security will need to be a focus – and new regulatory measures are sure to be introduced.
More consequences for software vendors who don’t ship secure code
CISA Director Jen Easterly has made it abundantly clear that software vendors should not be permitted to “pass the buck” when it comes to security within their products. While CISA’s powers only extend so far - helping to enforce Secure-by-Design practices to vendors that sell to federal agencies - The MOVEit incident earlier this year reaffirmed that large software vendors need to hit and exceed a new benchmark. There needs to be more accountability and more consequences to enforce for repeat offenders who ship insecure code.
2024’s OWASP Top 10 will show a renewed focus on design flaws
Speaking of Secure-by-Design, In 2021, OWASP introduced the “Insecure Design” category, focusing on the shift towards architectural security issues and flaws. As we anticipate their upcoming Top 10 list (most likely in 2024), there will be greater, executive-level conversation around the difference between insecure design and insecure implementation, with an emphasis on teams developing a secure software development life cycle (SSDLC), including a complete threat modeling procedure that supports critical authentication and access control configuration.
DevSecOps vendors will need to prove specific ROI to target different executive buyers
In order to sell to multiple groups in a competitive sales cycle, vendors will need to tailor conversations to different areas of the business. Traditionally, security vendors primarily sell to CISOs or security leadership. In 2024, there will be a greater need for the ability to prove risk reduction in increasingly specific contexts for executives across L&D and DevOps/AppSec – in addition to Security/CISOs.
“Gatekeeping” will be the ticket to security maturity in software development
CISOs remain under scrutiny to prove the business value of cybersecurity efforts, as well as the effectiveness of their program over time. Developers will increasingly need to prove they are security-aware before being given projects with sensitive repositories. CISOs who adopt a “gatekeeping” standard and prioritize secure coding from the start of the software creation process will better position their teams for security excellence.
Reactive security will be seen as old school
As the goal of increased cyber resilience continues to dominate cyber strategies across multiple verticals, those who rely on reaction and incident response as the only core tenets of their plan will find themselves in a place of unacceptable exposure and risk. “Shift left” needs to be more than a rapidly aging buzzword; code-level security should be prioritized, alongside upskilling and verifying the competence of the developers working on the software and critical digital infrastructure we take for granted. Now, more than ever, governments and enterprises alike must commit themselves to a preventative, high-awareness security program in which every member of staff is enabled to share responsibility.
As the leader in secure coding education and implementation, we’re excited for the year ahead and collaborating with our 600+ customers to get ahead of these evolving dynamics. What does your 2024 look like and how can Secure Code Warrior help?
Interested to learn more? Follow us on X and LinkedIn to stay up-to-date on all announcements.
