Strong DevOps Leads to Stronger Security
August 05, 2019

Valerie Silverthorne
GitLab

Want to get to DevSecOps? Start by developing mature DevOps practices. Security pros report an established DevOps team is three times more likely to find bugs before code is merged and 90% more likely to test between 91% and 100% of code than early-stage efforts. Those findings, from GitLab's 2019 Global Developer Report: DevSecOps, reflect the experience of more than 4,000 developer, security, and operations professionals across various industries, roles, and geographic locations.

Not surprisingly, the survey showed that DevOps done right provides an enormous benefit to companies trying to deliver quality software faster. Nearly half of mature DevOps teams reported daily continuous deployment in at least one part of their organizations, while 89% said a solid DevOps team leads to greater insight into what the team is working on. Developers said they are 1.4 times more likely to feel innovative when they're part of a mature DevOps team, while security pros said effective DevOps helps dramatically reduce the red tape involved in bug remediation. And operations team members are 1.8 times more likely to get sufficient notice to support developer efforts in an established DevOps environment.

But there's no question that for most companies, DevOps is still a work in progress. Only about one-third of the survey respondents rated their companies' DevOps efforts as "good." Roughly 50% of all survey respondents called out testing as most likely to delay development, a fact which underscores the continuing struggle to incorporate automation in to the mix. And despite the clear benefits to security from a mature DevOps practice, the inverse is true: An immature or troubled DevOps team will discover bugs late, battle to get developers on board for remediation and find innovation difficult if not impossible.

So while the benefits of DevOps are clear, the disadvantages of poor DevOps are just as obvious. Here's a quick snapshot of where each group stands relative to DevOps.

Developers and DevOps

The developers surveyed were a relatively upbeat group. Nearly 60% said their organization's development processes were set up to help them succeed and 63% said those processes help them nnovate. More than 50% are very happy with the tools they use. Scrum is the most popular development method at 50%, followed by Kanban (37%) and DevOps (36%). Just 17% use waterfall.

Barriers between dev and ops remain. Only about one-third of developers felt operations were able to quantify and document their work and less than half think operations gets sufficient notice to support them.

About 70% of developers said they are expected to write secure code, but comments offered during the survey made it clear the mechanisms to make that happen remain elusive at most organizations.

And while DevOps isn't quite an established development currency, it's clear to developers what happens when DevOps isn't done well: 88% of those working at companies with a poor DevOps model don't feel their development processes are designed to help them succeed.

Security and DevSecOps

The survey respondents use a variety of application security methods to identify problems. Dependency scanning is the most popular at 56%, followed by cloud security (42%), container security (41%), SAST (35 %), license compliance (29%t) and DAST at 22%. All told, 12% of security teams test between 61-75% of the code.

Automation, though vital for successful DevOps, remains a challenge to implement. Roughly a third of respondents rely on security testing results from the developer pipeline report or use automated SAST in the CI/CD pipeline. And 25% said they don't know how their team automates software testing.

But thanks to DevOps there is steady progress when it comes to bringing developers in to the security process. Half of those surveyed said coders receive and address security feedback during the development process and 44% report that security vulnerabilities are a performance metric for developers in their organizations.

Like the other groups, security pros see the value of a strong DevOps practice particularly when it comes to finding or fixing bugs. A majority of security professionals said not doing DevOps well makes it 2.6 times more likely they have to deal with red tape in order to remediate potential security risks.

Thoughts on Operations

As far as ops pros are concerned, it's DevOps for the win. A full 70% said they practice DevOps, followed by Scrum (61%) and Kanban (43%). And their priorities are clear; operations pros pay attention first to the product roadmap timeline followed by ROI, the current workload of individual developers, and the estimated cost of development.

Ops teams are happy with the tools their organizations use – more than 61% said their tools were the best for the job. And 59% of operations professionals said their recommendations for tools and best practices were followed by their organization. More than half of operations team members surveyed said their organizations continuously deploy, and over one-third deploy somewhere between daily and once a month.

And like their security and developer counterparts, ops pros know the value of a well-running DevOps practice: They said companies are 2.5 times more likely to encounter the most delays in the planning stage if the DevOps model is poor.

Facing the Future

Not surprisingly, all of the survey respondents reported ambitious plans for 2019. Almost two-thirds want to invest in infrastructure to support continuous integration, deployment, and delivery. About half hope to improve automation, while 44% will increase use of containers and 43% will double down on DevOps. And just over one-third plan to expand their use of the cloud.

Developers and security pros also hope to invest more in continuous integration, deployment, and delivery as well as amping up automation and container use. Operations teams are on the CI/CD and automation bandwagons as well, but they're also looking to deepen their commitment to DevOps.

Valerie Silverthorne is Senior Content Editor at GitLab
Share this

Industry News

October 10, 2019

CloudBees launched a new partner program that expands ISV partners’ ability to align with CloudBees offerings and the global Jenkins community.

October 08, 2019

Nureva announced a key update to the Jira Software integration with Span Workspace, Nureva’s cloud-based digital canvas for visual planning and collaboration.

October 08, 2019

Fugue announced support for Open Policy Agent (OPA), an open source general-purpose policy engine and language for cloud infrastructure.

October 03, 2019

Redgate announced the launch of SQL Compare v14, the latest version of its industry standard tool for quickly and accurately comparing and deploying SQL Server databases.

October 03, 2019

Harness announced the release of Continuous Insights, a new capability of its CD platform that enables organizations to see clearly into software delivery performance across their engineering and development teams without needing to manually collect, correlate, and report metrics that might take days or weeks.

October 03, 2019

OutSystems and Workato announced a partnership aimed at allowing organizations to rapidly realize innovation, time to value, productivity, and mission-critical objectives through readily available application connectors.

October 02, 2019

Kong announced an acquisition and several new products.

October 02, 2019

Contrast Security announced the availability of .NET Core support on Contrast Community Edition (CE).

October 02, 2019

Checkmarx earned Amazon Web Services (AWS) Security Competency status for its Software Security Platform.

October 01, 2019

Parasoft announced the release of its newest product, Parasoft Selenic, a UI testing solution that makes Selenium smarter, to help organizations find real bugs faster.

October 01, 2019

Micro Focus announced the general availability of Deployment Automation 6.3, offering new deployment improvements for its Release Orchestration solution set.

October 01, 2019

Compuware announced enhancements to Topaz for Total Test and a partnership with OpenLegacy to help large enterprises speed mainframe software development and delivery while improving quality.

September 30, 2019

Deque Systems announced Axe Pro, a key addition to Axe, the web accessibility testing browser extension.

September 30, 2019

NIIT Technologies and mabl, Inc announced a partnership to deliver AI-driven automated solution for faster, economical and better application testing services.

September 30, 2019

Rockset announced the capability to analyze raw events from Apache Kafka in real time.