While application breaches jumped 55%, emerging DevSecOps practices grew 15%
Sonatype, the leader in open source governance and DevSecOps automation, today published findings from its fifth annual DevSecOps Community Survey of 2,076 IT professionals. The survey shares practitioner perspectives on evolving DevSecOps practices, shifting investments, and changing perceptions.
Survey respondents revealed that breaches related to open source components grew at a staggering 50% since 2017, and 121% since 2014. This follows on from Sonatype’s findings earlier in the year, which showed that 1 in 8 open source components downloaded by developers in the UK contained a known security vulnerability.
Yet despite this, resourcing and training still presents challenges: 48% of respondents admitted that they don’t have enough time to spend on application security, while 35% of developers from companies with no DevOps practices received no training on application security in the past year.
The results also revealed that developers outnumber security professionals by 100:1, highlighting the urgent need for automated application security testing to mitigate risks and improve business productivity.
The findings demonstrated that more organisations are waking up to this approach, with mature DevOps practices showed a 15% year over year growth in applying security practices throughout the development lifecycle.
The survey found that those companies with mature DevOps practices are 24% more likely to have deployed automated security practices throughout their development lifecycle. Investments in open source governance, container security, and web application firewalls were noted as the most critical to companies pursuing DevSecOps transformations.
Other key findings from the survey include:
- 77% of mature DevOps organisations have open source policies in place, with a 76% adherence rate. Conversely, only 58% of respondents without mature DevOps practices had a policy with a 54% adherence rate – revealing that DevSecOps automation is difficult to ignore.
- 59% of mature DevOps companies are building more security automation into their development process as attention toward GDPR compliance grows.
- 88% of those with mature DevOps practices are investing in application security training, while 35% with immature practices said they had no access to security training. This finding points to stronger cybersecurity readiness postures of those investing in DevOps.
- 63% of respondents with mature DevOps practices say they leverage security products to identify vulnerabilities in containers, as these components become more ubiquitous in modern IT landscapes.
- 48% of respondents admitted that Developers know application security is important, but they don’t have the time to spend on it, shedding light on the growth in automated security investments.
“The appeal of using one technology that’s free rather than buying a licenced, chargeable piece of software is apparent. But so are the risks – so it is concerning that some developers are simply ignoring the policies crafted and communicated for their organisations, likely for the sake of speed and costs.”
– Helen Beal, DevOpsologist | Ranger4
“It seems that DevOps with a security mindset is not enough. Full-blown DevSecOps – in which security is a foundational principle of software delivery and considered from the word ‘go’ – is needed.”
– Benjamin Wootton, Co-founder and CTO | Contino
“As more software is layered into an ecosystem, more automation will make management less challenging. Automating security tooling into container based workflows will become a critical piece of every major organization’s security posture. Remember, always be shifting left.”
– Chris Short, Sr. DevOps Advocate | SJ Technologies
“There isn’t one way to overhaul your company’s culture, policy, or structure and most importantly. The key lies in how development teams can leverage their security team knowledge and develop secure applications from inception to deployment.”
– Hasan Yasar, Technical Manager and Adjunct Faculty Member | Carnegie Mellon University
“It’s not only about automating development, deployment and security; it’s also about changing the way all parts of an organization – technical and otherwise – are involved in the software development life cycle. If you think about it, you see that in big organizations DevSecOps is really DevSecOpsAndEverybodyElse.”
– Oleg Gryb, Chief Security Architect | Financial Services Industry
About the Survey
The 2018 DevSecOps Community Survey provides visibility into the attitudes of software professionals toward DevOps best practices and the changing role of application security. The survey was conducted by Sonatype, Carnegie Mellon’s Software Engineering Institute, Contino, DZone, Ranger4, SJ Technologies, and Signal Sciences. The survey’s margin of error is ±2.02 percentage points for 2,076 IT professionals at the 95% confidence level.