The 2019 DevSecOps Community Survey shows mature programs are 700% more likely to automate security, as adversaries accelerate pace – so says a recent survey hosted by open source software development company, Sonatype.
Represented locally by 9TH BIT Consulting, Sonatype recently announced the findings of its 6th annual DevSecOps Community Survey of 5 558 IT professionals. The survey has unveiled a new portrait of what organisations with elite DevSecOps programs look like in the face of accelerating attacks from bad actors.
Barry de Waal, chief executive of strategy and sales at 9TH BIT Consulting, says that, as DevOps practices are maturing rapidly, elite organisations are automating security earlier in the development lifecycle and managing software supply chains as a critical differentiator to their competitors.
“The survey results revealed that companies with elite DevSecOps programs are outperforming other enterprises by extreme margins,” he says.
Those factors include:
* DevOps automation – Elite DevSecOps practices are 700% more likely to have fully integrated and automated security practices across the DevOps pipeline. They also have increased feedback loops that enable security issues to be identified directly from tools.
* Open source controls – 62% of respondents with elite programs have an open source governance policy in place, where automation improves adherence to it, compared to just 25% of those without DevOps practices.
* Container controls – 51% of respondents with elite practices say they leverage automated security products to identify vulnerabilities in containers, while only 16% of those without said the same thing.
* Training – Organisations with elite DevSecOps practices are three times more likely to provide application security training to developers than those organisations without DevOps practices.
* Preparedness – 81% of those with elite practices have a cybersecurity response plan in place, compared to 62% of those without DevOps practices.
“Forty-seven percent of the organisations we surveyed are deploying to production multiple times a week, while the velocity of their security practices are also increasing,” says Derek Weeks, vice-president and DevOps advocate at Sonatype.
“The DevSecOps community has shown us that elite organisations are performing significantly less manual work, seamlessly blending security into their developers’ world, and are better prepared for remediating security incidents as they arise, when compared to their counterparts without DevOps practices.”
De Waal adds: “Out of the 5 000-plus respondents, 24% have suspected or verified a breach related to open source components and this represents a 71% increase since Heartbleed made headlines five years ago.
“Fifty percent of elite programs produce a complete software bill of materials that’s updated regularly, while only 19% of those without DevOps practices keep this.
“Notably, developers continue to believe security is important, but are unable to make it a priority. This is the third year in a row where 48% of respondents admitted that developers feel they don’t have the time to spend on this, with 50% of respondents using cloud infrastructure simply relying on the service provider to secure their cloud.
“Lastly, but also key, is that 46% of organisations without a DevOps practices do not have application level credentials encrypted, while 75% of elite DevSecOps practices do.”