Strong DevOps Leads to Stronger Security
August 05, 2019

Valerie Silverthorne
GitLab

Want to get to DevSecOps? Start by developing mature DevOps practices. Security pros report an established DevOps team is three times more likely to find bugs before code is merged and 90% more likely to test between 91% and 100% of code than early-stage efforts. Those findings, from GitLab's 2019 Global Developer Report: DevSecOps, reflect the experience of more than 4,000 developer, security, and operations professionals across various industries, roles, and geographic locations.

Not surprisingly, the survey showed that DevOps done right provides an enormous benefit to companies trying to deliver quality software faster. Nearly half of mature DevOps teams reported daily continuous deployment in at least one part of their organizations, while 89% said a solid DevOps team leads to greater insight into what the team is working on. Developers said they are 1.4 times more likely to feel innovative when they're part of a mature DevOps team, while security pros said effective DevOps helps dramatically reduce the red tape involved in bug remediation. And operations team members are 1.8 times more likely to get sufficient notice to support developer efforts in an established DevOps environment.

But there's no question that for most companies, DevOps is still a work in progress. Only about one-third of the survey respondents rated their companies' DevOps efforts as "good." Roughly 50% of all survey respondents called out testing as most likely to delay development, a fact which underscores the continuing struggle to incorporate automation in to the mix. And despite the clear benefits to security from a mature DevOps practice, the inverse is true: An immature or troubled DevOps team will discover bugs late, battle to get developers on board for remediation and find innovation difficult if not impossible.

So while the benefits of DevOps are clear, the disadvantages of poor DevOps are just as obvious. Here's a quick snapshot of where each group stands relative to DevOps.

Developers and DevOps

The developers surveyed were a relatively upbeat group. Nearly 60% said their organization's development processes were set up to help them succeed and 63% said those processes help them nnovate. More than 50% are very happy with the tools they use. Scrum is the most popular development method at 50%, followed by Kanban (37%) and DevOps (36%). Just 17% use waterfall.

Barriers between dev and ops remain. Only about one-third of developers felt operations were able to quantify and document their work and less than half think operations gets sufficient notice to support them.

About 70% of developers said they are expected to write secure code, but comments offered during the survey made it clear the mechanisms to make that happen remain elusive at most organizations.

And while DevOps isn't quite an established development currency, it's clear to developers what happens when DevOps isn't done well: 88% of those working at companies with a poor DevOps model don't feel their development processes are designed to help them succeed.

Security and DevSecOps

The survey respondents use a variety of application security methods to identify problems. Dependency scanning is the most popular at 56%, followed by cloud security (42%), container security (41%), SAST (35 %), license compliance (29%t) and DAST at 22%. All told, 12% of security teams test between 61-75% of the code.

Automation, though vital for successful DevOps, remains a challenge to implement. Roughly a third of respondents rely on security testing results from the developer pipeline report or use automated SAST in the CI/CD pipeline. And 25% said they don't know how their team automates software testing.

But thanks to DevOps there is steady progress when it comes to bringing developers in to the security process. Half of those surveyed said coders receive and address security feedback during the development process and 44% report that security vulnerabilities are a performance metric for developers in their organizations.

Like the other groups, security pros see the value of a strong DevOps practice particularly when it comes to finding or fixing bugs. A majority of security professionals said not doing DevOps well makes it 2.6 times more likely they have to deal with red tape in order to remediate potential security risks.

Thoughts on Operations

As far as ops pros are concerned, it's DevOps for the win. A full 70% said they practice DevOps, followed by Scrum (61%) and Kanban (43%). And their priorities are clear; operations pros pay attention first to the product roadmap timeline followed by ROI, the current workload of individual developers, and the estimated cost of development.

Ops teams are happy with the tools their organizations use – more than 61% said their tools were the best for the job. And 59% of operations professionals said their recommendations for tools and best practices were followed by their organization. More than half of operations team members surveyed said their organizations continuously deploy, and over one-third deploy somewhere between daily and once a month.

And like their security and developer counterparts, ops pros know the value of a well-running DevOps practice: They said companies are 2.5 times more likely to encounter the most delays in the planning stage if the DevOps model is poor.

Facing the Future

Not surprisingly, all of the survey respondents reported ambitious plans for 2019. Almost two-thirds want to invest in infrastructure to support continuous integration, deployment, and delivery. About half hope to improve automation, while 44% will increase use of containers and 43% will double down on DevOps. And just over one-third plan to expand their use of the cloud.

Developers and security pros also hope to invest more in continuous integration, deployment, and delivery as well as amping up automation and container use. Operations teams are on the CI/CD and automation bandwagons as well, but they're also looking to deepen their commitment to DevOps.

Valerie Silverthorne is Senior Content Editor at GitLab
Share this

Industry News

February 07, 2023

SonarSource launched SonarQube 9.9 Long-Term Support (LTS).

February 07, 2023

Appdome announced its new Dev2Cyber Agility product initiative and partnership program.

February 07, 2023

Progress announced the completion of the acquisition of MarkLogic.

February 06, 2023

Red Hat announced the availability of Red Hat Ansible Automation Platform on Google Cloud, providing a common and flexible IT automation solution that extends from the cloud, to the datacenter and out to the edge without additional complexity or required skills.

February 06, 2023

Cequence Security has enhanced the testing capabilities within its Unified API Protection Platform with the availability of API Security Testing.

February 06, 2023

Netlify has acquired Gatsby Inc.

February 02, 2023

Red Hat announced a multi-stage alliance to offer customers a greater choice of operating systems to run on Oracle Cloud Infrastructure (OCI).

February 02, 2023

Snow Software announced a new global partner program designed to enable partners to support customers as they face complex market challenges around managing cost and mitigating risk, while delivering value more efficiently and effectively with Snow.

February 02, 2023

Contrast Security announced the launch of its new partner program, the Security Innovation Alliance (SIA), which is a global ecosystem of system integrators (SIs), cloud, channel and technology alliances.

February 01, 2023

Red Hat introduced new security and compliance capabilities for the Red Hat OpenShift enterprise Kubernetes platform.

February 01, 2023

Jetpack.io formally launched with Devbox Cloud, a managed service offering for Devbox.

February 01, 2023

Jellyfish launched Life Cycle Explorer, a new solution that identifies bottlenecks in the life cycle of engineering work to help teams adapt workflow processes and more effectively deliver value to customers.

January 31, 2023

Ably announced the Ably Terraform provider.

January 31, 2023

Checkmarx announced the immediate availability of Supply Chain Threat Intelligence, which delivers detailed threat intelligence on hundreds of thousands of malicious packages, contributor reputation, malicious behavior and more.

January 31, 2023

Qualys announced its new GovCloud platform along with the achievement of FedRAMP Ready status at the High impact level, from the Federal Risk and Authorization Management Program (FedRAMP).