SmartBear announced its acquisition of QMetry, provider of an AI-enabled digital quality platform designed to scale software quality.
The DevSecOps approach to software development aims to make delivering software faster, more efficient, and significantly more secure. However, the escalating complexity of software supply chains and the applications being built is shifting greater security responsibilities onto developers. This shift is driving up costs and workload, threatening developer productivity and the overall quality of applications. Left unchecked, these pressures can jeopardize the very security that DevSecOps aims to enhance.
The Cost of Inaction in DevSecOps
Developers estimate that they waste about 19% of their weekly hours — equating to 8.16 hours — on security-related tasks. This accumulation translates to a staggering $28,100 wasted per developer each year. Alarmingly, the burden of security tasks is climbing, with developers increasingly dedicating their time to fixing vulnerabilities. This reality is not just a financial burden; it erodes job satisfaction, destroys work-life balance, and leads to burnout and higher turnover rates.
There's a critical distinction among organizations grappling with the high cost of security: those that adopt a reactive approach instead of a proactive one.
Proactive vs. Reactive: The Heart of Efficiency
Oftentimes organizations that are new to DevSecOps establish a more reactive approach to security wherein developers scramble to remediate vulnerabilities in later stages of the software development lifecycle (SDLC). The better approach is to design a proactive strategy that weaves security into every stage of the software development process. By identifying and mitigating potential vulnerabilities early in the process, developers won't need to spend time backtracking, thus enhancing productivity and security.
Where Is Time Being Wasted?
While integrating security into every facet of software development is indispensable, it's still siphoning a lot of developers' attention and time. There are two primary activities that drain developer time: context switching and manual reviews:
■ Context switching happens when developers must shift focus between different tools and tasks. Unfortunately, with developers juggling between 11 to 14 DevSecOps tools, frequent changes in focus slow productivity. Fewer, more tightly integrated tools could streamline responsibilities, reducing errors and wasted time.
■ Manual Reviews: Developers also lose time manually reviewing security scan results plagued by false positives and duplicates. IDC's report indicates developers spend an average of 3.5 hours weekly addressing security activities like secrets detection, infrastructure-as-code (IaC) scanning, software composition analysis (SCA), and static application security testing (SAST). Why is this so time-consuming? Many secrets detection tasks follow a time-based approach — weekly or monthly — rather than integrating checks into every code review or aligning them with code changes. This fragmented methodology results in potential vulnerabilities slipping through cracks, wasting even more time in remediation if issues go undetected.
Empowering Developers for Success
To truly optimize DevSecOps, organizations must provide developers with the necessary training and support to instill security measures from the outset.
Implementing automated and continuous scanning processes will not only provide real-time feedback but also lessen the manual burden on developers. Organizations must prioritize giving developers access to ongoing secure coding education, bridging the gap between security and DevOps teams. When developers are poised to incorporate security into the early stages of the SDLC, the entire process becomes instinctive and efficient.
By scrutinizing and refining DevSecOps practices, offering continuous training, and leveraging effective tools, organizations can bolster their security posture while alleviating the hidden burdens on development teams. This holistic approach not only enhances security outcomes but also cultivates a more productive and efficient software supply chain.
Industry News
Red Hat signed a strategic collaboration agreement (SCA) with Amazon Web Services (AWS) to scale availability of Red Hat open source solutions in AWS Marketplace, building upon the two companies’ long-standing relationship.
CloudZero announced the launch of CloudZero Intelligence — an AI system powering CloudZero Advisor, a free, publicly available tool that uses conversational AI to help businesses accurately predict and optimize the cost of cloud infrastructure.
Opsera has been accepted into the Amazon Web Services (AWS) Independent Software Vendor (ISV) Accelerate Program, a co-sell program for AWS Partners that provides software solutions that run on or integrate with AWS.
Spectro Cloud is a launch partner for the new Amazon EKS Hybrid Nodes feature debuting at AWS re:Invent 2024.
Couchbase unveiled Capella AI Services to help enterprises address the growing data challenges of AI development and deployment and streamline how they build secure agentic AI applications at scale.
Veracode announced innovations to help developers build secure-by-design software, and security teams reduce risk across their code-to-cloud ecosystem.
Traefik Labs unveiled the Traefik AI Gateway, a centralized cloud-native egress gateway for managing and securing internal applications with external AI services like Large Language Models (LLMs).
Generally available to all customers today, Sumo Logic Mo Copilot, an AI Copilot for DevSecOps, will empower the entire team and drastically reduce response times for critical applications.
iTMethods announced a strategic partnership with CircleCI, a continuous integration and delivery (CI/CD) platform. Together, they will deliver a seamless, end-to-end solution for optimizing software development and delivery processes.
Progress announced the Q4 2024 release of its award-winning Progress® Telerik® and Progress® Kendo UI® component libraries.
Check Point® Software Technologies Ltd. has been recognized as a Leader and Fast Mover in the latest GigaOm Radar Report for Cloud-Native Application Protection Platforms (CNAPPs).
Spectro Cloud, provider of the award-winning Palette Edge™ Kubernetes management platform, announced a new integrated edge in a box solution featuring the Hewlett Packard Enterprise (HPE) ProLiant DL145 Gen11 server to help organizations deploy, secure, and manage demanding applications for diverse edge locations.
Red Hat announced the availability of Red Hat JBoss Enterprise Application Platform (JBoss EAP) 8 on Microsoft Azure.
Launchable by CloudBees is now available on AWS Marketplace, a digital catalog with thousands of software listings from independent software vendors that make it easy to find, test, buy, and deploy software that runs on Amazon Web Services (AWS).