The DevSecOps Landscape is Maturing – We Want to Hear About Your Journey

Time is running out to take part in Sonatype’s annual DevSecOps Community Survey. Share your stories with others in the space.

The race to out-innovate one’s competition has led to high-performing organizations chasing increased deployment velocities but often ignoring the quality of parts being used to manufacture their applications. It was 2003 when Bruce Schneier (@schneierblog) penned, “Today there are no real consequences for having bad security, or having low-quality software of any kind. Even worse, the marketplace often rewards low quality. More precisely, it rewards additional features and timely release dates, even if they come at the expense of quality.” 17 years later, and it can sometimes feel like we haven’t grown enough.

As nimble organizations aim to deliver new innovations faster using DevOps principles, the question of how and where security fits into the equation has spawned bigger conversations around what DevSecOps really means. And, in some circles where DevSecOps is even a different principle, security should already be a part of DevOps.

This is why we do the DevSecOps Community Survey every year: to better understand how organizations are adapting, what previous challenges were overcome, what new challenges may have popped up, and to examine what approaches are being prioritized within teams to better identify risks. These questions, and many others, are extremely important and it’s why we’re embarking on the 7th annual DevSecOps Community survey. And, we’re looking for you to help us understand that state of DevSecOps.

Sonatype, DevOps.com, Security Boulevard, Cloudbees, Carnegie Mellon SEI, DevOps InstituteNowSecure, Verica, All Day DevOps, and DevSecOps Days launched the annual DevSecOps Community Survey earlier this month. We’ve already received more than 5,000 responses, but we have high ambitions and want this to be the most in-depth and comprehensive studies to date—and we need your help to do that.

Since we started this survey seven years ago, we’ve seen a consistent maturation of DevOps practices and the combination of automated security. More and more respondents highlight that their practices have evolved and adapted to a DevSecOps mentality—or, that they have the ambition to do so. That said, we know we’re still in the early stages of so many DevSecOps transformations, and while people may recognize the need for governance policies with DevOps, the theory doesn’t always make it into practice. The insights we gain from this survey allow us to provide concrete information back to the community what those who have successfully transformed themselves are doing well, and what their journey looked like.

For instance, from the 5,500-plus respondents who took last year’s survey, we saw that more than 47% of them were deploying changes into production multiple times per week. This meant that as adversaries are getting faster at exploiting vulnerabilities, DevOps organizations that can identify cybersecurity risks and remediate them sooner can better defend themselves.

We’ve learned that security is difficult to ignore when it’s embedded where developers already are, but there is a lot more to understand about current practices. The voice of the community these past seven years has been invaluable and we recognize that the experiences of those in the community can help us learn what resources are needed to support this ongoing cultural shift.

In this year’s survey, for the first time, we’re also aiming to understand how responders feel about their jobs and the environments they work in. DevSecOps as much as anything is a culture and we want to better understand the cultural attributes the elite DevSecOps practices employ.

Please take a few minutes to fill out the 2020 DevSecOps Community survey today. Help us help the industry by better comprehending how the DevSecOps community has matured over the past year. And, you may even win one of our prizes: a Macbook, AirPods Pro or an Oculus Quest. Everyone who takes the survey will also receive first look at the results.

DJ Schleen

Avatar photo

DJ Schleen

DJ is a seasoned DevSecOps advocate at Sonatype and provides thought leadership to organizations looking to integrate security into their DevOps practices. He comes from a practitioner background and specializes in architecting DevSecOps pipelines, automating security in DevOps environments, and breaking down organizational silos that inhibit the delivery of safer software. DJ has worked to streamline development pipelines and practices for many Fortune 100 organizations by focusing on culture and technique. He uses this expertise to surface the right technology to serve business goals and support outcomes. He is an international speaker, blogger, instructor and author in the DevSecOps community where he encourages organizations to deeply integrate a culture of security and trust into their core values and product development journey.

dj-schleen has 10 posts and counting.See all posts by dj-schleen