Headline
DevSecOps Gains Traction — but Security Still Lags
Almost half of teams develop and deploy software using a DevSecOps approach, but security remains the top area of investment, a survey finds.
Software developers and operations teams continue to adopt DevOps and other agile methodologies as well as automation and low-code services, but they still struggle with security, the fallout of the COVID-19 pandemic, and a shortage of skilled security workers, according to a newly published annual survey from GitLab.
DevSecOps results in better code quality, higher developer productivity, and improved operational efficiency, according to the survey of more than 5,000 software developers, operations specialists, and application security professionals. Security still is a problem, however. While more than half (57%) of those surveyed considered security to be a performance metric, nearly the same number said it was “difficult to get devs to actually prioritize fixing code vulnerabilities.”
The survey conducted by the toolchain provider underscores that all participants in the development and deployment process still need to improve the communications and relationships between groups, says Johnathan Hunt, vice president of information security and cybersecurity at GitLab.
“Getting developers and security professionals to work better together requires a culture-first approach to software development through the creation of a DevOps culture,” Hunt says. “A DevOps platform lends itself well to this approach by granting organizations seamless collaboration across DevSecOps teams, shared ownership of security and compliance, and strategic uses of technologies such as automation and AI/ML.”
Mix and Match
The survey found that no single dominant approach to software development exists, and most teams use a mix of approaches. While a majority of development teams (47%) used DevOps and DevSecOps, other agile approaches accounted for significant shares as well: 34% of teams used Scrum, 24% used Kanban, and 29% used Lean methodologies. Teams even expanded their use of Waterfall development, with more than a quarter (26%) adopting that approach.
“DevOps teams are not limiting themselves to any one way of working,” Hunt says. “They are flexible and willing to adjust their approaches to meet various business and project needs.”
The increase in agile approaches to software development and deployment has resulted in faster deployment of software. Seven in 10 survey respondents said their teams deploy at least once every few days or more frequently, a jump of 11 points from 2021. Integrating automated testing, deployment, and security controls into the development pipeline is a key factor in speeding application deployment, with nearly half (47%) of teams asserting that their testing is fully automated today, up from 25% in 2021.
The adoption of low-code and no-code APIs for development has also made teams more efficient. Two-thirds (66%) of survey takers are using at least one low-code or no-code tool in their DevOps practice, a significant increase from the 25% of those surveyed in 2021.
Yet the expanding number of options for development, deployment, and securing of software has resulted in more confusion, leading DevOps teams to look to simplify their pipeline and toolsets, GitLab’s study found. While 44% of DevOps teams use two to five tools to manage the software development process, 41% use between six and 10 tools.
“That’s a lot of tools, and 69% of survey takers told us they’d like to consolidate their toolchains,” GitLab stated in the survey report.
AI and Machine Learning ‘On the Rise’
Artificial intelligence and machine-learning technologies have seen mixed adoption among developers and application-security specialists. While AI/ML is at the bottom of the list of priorities for developers’ future careers, a majority of security pros (54%) said AI/ML will help them most in their future careers. AI/ML particularly suits the security domain. For example, AI/ML systems can be trained to detect and respond to threats, generate alerts, and trigger rule sets.
“But AI/ML is far from falling off of developers’ radars. In fact, its use is on the rise,” Hunt says, adding: “This is especially helpful when it comes to detecting and defending against attacks and malicious actors, since security professionals cannot watch every packet and connection that transverses a network.”
Security continues to take a larger role in the software development pipeline, with 57% of companies shifting security responsibility “left” and making developers more responsible for the vulnerabilities in their code. Yet there is still a ways to go, with a significant number of developers blaming security for delays and the division of responsibility for software security very much in flux.
“While dev and ops are taking on a larger share of security ownership, it’s not so straightforward on the sec team,” GitLab stated in the report. “In 2020 and 2021, the percentage of security pros who said they were fully responsible for security was roughly the same as those who said everyone was responsible.”