DevSecOps Makes a Difference, but Uptake is Slow
A new study touts the benefits of DevSecOps practice for improving security posture, but finds it is slow to catch on in many organizations. The survey released this month from Sonatype, CloudBees, Signal Sciences, Twistlock and Carnegie Mellon’s Software Engineering Institute highlights the gains in security hygiene within businesses employing DevSecOps practices, but also finds only a small percentage are dedicating time and resources into DevSecOps, which is the philosophy of building security into the development process at the outset.
The “2019 DevSecOps Community Survey” of 5,558 IT professionals also found that organizations with elite DevSecOps programs are outperforming others in terms of DevOps automation, open source controls, container controls, training and cybersecurity preparedness.
“One thing is abundantly clear, DevSecOps investments are paying off in terms of cultural change management, automated tooling, training, and cybersecurity hygiene,” noted the report summary.
The survey showed that 27 percent of organizations in the study have mature DevOps practices and 48 percent are improving their DevOps maturity. DevOps was represented most strongly in the banking, communications and retail sectors.
Finding Time for Security is a Challenge
The report also notes that while developers know security is important, almost half also admit they don’t have enough time to spend on it. However, among mature programs, which the survey identifies as the “DevOps Elite,” security practices are developing more rapidly and adoption and adherence to security practices is improved.
“While DevOps professionals and developers have no more time to spend on security, across the DevOps Elite, cybersecurity hygiene was significantly elevated,” noted the report summary.
Motivations for Adopting DevSecOps Practices
When asked: “What is your main motivation to implement security across the development life cycle?” most organizations cited customer trust and requirements and security as a quality differentiator. Answers included:
- Risk management, 34.77 percent
- Improve quality of the code / application, 24.75 percent
- Compliance requirements, 23.42 percent
- Customer requirements, 9.91 percent
- Competitive advantage, 5.74 percent
Mature DevOps practices are 350 percent more likely to integrate automated security, according to the report. But 76 percent of organizations noted security tools aren’t or are only partially integrated into their DevOps pipeline.
Breach Rates Higher in Mature DevOps Shops?
Interestingly, while 27 percent of organization with Elite DevOps practices cited a breach in the last year, only 21 percent of those without DevOps practices said they had experienced a breach. The report authors believe the higher breach rate among more mature shops may be connected to a higher-level of understanding and awareness.
“With less visibility and fewer controls surrounding open source in less mature organizations, we suspected the lower breaches in the immature group were more an indication of lack of breach awareness,” they noted in the report.
“We must all recognize security is a living thing and organizations should be prepared to prevent and respond to breaches at any moment within their application life cycle,” said Hasan Yasar of the Software Engineering Institute at Carnegie Mellon University. “It is difficult to imagine proper cybersecurity hygiene and sufficient preparations for a breach without DevSecOps in place.”
