The 2019 DevSecOps Community Survey shows mature programs are 700 percent more likely to automate security, as adversaries accelerate pace – so says a recent survey hosted by open source software development company, Sonatype.
Represented locally by 9TH BIT Consulting, Sonatype recently announced the findings of its 6th annual DevSecOps Community Survey of 5,558 IT professionals. The survey has unveiled a new portrait of what organisations with elite DevSecOps programs look like in the face of accelerating attacks from bad actors.
Barry de Waal, chief executive of strategy and sales at 9TH BIT Consulting says that, as DevOps practices are maturing rapidly, elite organisations are automating security earlier in the development lifecycle and managing software supply chains as a critical differentiator to their competitors.
“The survey results revealed that companies with elite DevSecOps programs are outperforming other enterprises by extreme margins,” he says.
Those factors include:
- DevOps automation – Elite DevSecOps practices are 700 percent more likely to have fully integrated and automated security practices across the DevOps pipeline. They also have increased feedback loops that enable security issues to be identified directly from tools.
- Open source controls – 62 percent of respondents with elite programs have an open source governance policy in place, where automation improves adherence to it, compared to just 25 percent of those without DevOps practices.
- Container controls – 51 percent of respondents with elite practices say they leverage automated security products to identify vulnerabilities in containers, while only 16 percent of those without said the same thing.
- Training – Organisations with elite DevSecOps practices are three times more likely to provide application security training to developers than those organisations without DevOps practices.
- Preparedness – 81 percent of those with elite practices have a cybersecurity response plan in place, compared to 62 percent of those without DevOps practices.
“Forty seven percent of the organisations we surveyed are deploying to production multiple times a week, while the velocity of their security practices are also increasing,” said Derek Weeks, VP and DevOps Advocate at Sonatype.
“The DevSecOps community has shown us that elite organisations are performing significantly less manual work, seamlessly blending security into their developers’ world, and are better prepared for remediating security incidents as they arise, when compared to their counterparts without DevOps practices.”
9TH BIT’s De Waal says: “Out of the 5,000 plus respondents, 24 percent have suspected or verified a breach related to open source components and this represents a 71 percent increase since Heartbleed made headlines five years ago.
“50 percent of elite programs produce a complete software bill of materials that’s updated regularly, while only 19 percent of those without DevOps practices keep this.
“Notably, developers continue to believe security is important, but are unable to make it a priority. This is the third year in a row where 48 percent of respondents admitted that developers feel they don’t have the time to spend on this, with 50 percent of respondents using cloud infrastructure simply relying on the service provider to secure their cloud.
“Lastly, but also key, is that 46 percent of organisations without a DevOps practices do not have application level credentials encrypted, while 75 percent of elite DevSecOps practices do.”
He closes by saying that although it is in development that security is required at speed with attack prevention on all sides, it seems security feels like a bit of a mystery to developers and this, he says, is a gap that most urgently needs to be closed.
