Want to get to DevSecOps? Start by developing mature DevOps practices. Security pros report an established DevOps team is three times more likely to find bugs before code is merged and 90% more likely to test between 91% and 100% of code than early-stage efforts. Those findings, from GitLab's 2019 Global Developer Report: DevSecOps, reflect the experience of more than 4,000 developer, security, and operations professionals across various industries, roles, and geographic locations.
Not surprisingly, the survey showed that DevOps done right provides an enormous benefit to companies trying to deliver quality software faster. Nearly half of mature DevOps teams reported daily continuous deployment in at least one part of their organizations, while 89% said a solid DevOps team leads to greater insight into what the team is working on. Developers said they are 1.4 times more likely to feel innovative when they're part of a mature DevOps team, while security pros said effective DevOps helps dramatically reduce the red tape involved in bug remediation. And operations team members are 1.8 times more likely to get sufficient notice to support developer efforts in an established DevOps environment.
But there's no question that for most companies, DevOps is still a work in progress. Only about one-third of the survey respondents rated their companies' DevOps efforts as "good." Roughly 50% of all survey respondents called out testing as most likely to delay development, a fact which underscores the continuing struggle to incorporate automation in to the mix. And despite the clear benefits to security from a mature DevOps practice, the inverse is true: An immature or troubled DevOps team will discover bugs late, battle to get developers on board for remediation and find innovation difficult if not impossible.
So while the benefits of DevOps are clear, the disadvantages of poor DevOps are just as obvious. Here's a quick snapshot of where each group stands relative to DevOps.
Developers and DevOps
The developers surveyed were a relatively upbeat group. Nearly 60% said their organization's development processes were set up to help them succeed and 63% said those processes help them nnovate. More than 50% are very happy with the tools they use. Scrum is the most popular development method at 50%, followed by Kanban (37%) and DevOps (36%). Just 17% use waterfall.
Barriers between dev and ops remain. Only about one-third of developers felt operations were able to quantify and document their work and less than half think operations gets sufficient notice to support them.
About 70% of developers said they are expected to write secure code, but comments offered during the survey made it clear the mechanisms to make that happen remain elusive at most organizations.
And while DevOps isn't quite an established development currency, it's clear to developers what happens when DevOps isn't done well: 88% of those working at companies with a poor DevOps model don't feel their development processes are designed to help them succeed.
Security and DevSecOps
The survey respondents use a variety of application security methods to identify problems. Dependency scanning is the most popular at 56%, followed by cloud security (42%), container security (41%), SAST (35 %), license compliance (29%t) and DAST at 22%. All told, 12% of security teams test between 61-75% of the code.
Automation, though vital for successful DevOps, remains a challenge to implement. Roughly a third of respondents rely on security testing results from the developer pipeline report or use automated SAST in the CI/CD pipeline. And 25% said they don't know how their team automates software testing.
But thanks to DevOps there is steady progress when it comes to bringing developers in to the security process. Half of those surveyed said coders receive and address security feedback during the development process and 44% report that security vulnerabilities are a performance metric for developers in their organizations.
Like the other groups, security pros see the value of a strong DevOps practice particularly when it comes to finding or fixing bugs. A majority of security professionals said not doing DevOps well makes it 2.6 times more likely they have to deal with red tape in order to remediate potential security risks.
Thoughts on Operations
As far as ops pros are concerned, it's DevOps for the win. A full 70% said they practice DevOps, followed by Scrum (61%) and Kanban (43%). And their priorities are clear; operations pros pay attention first to the product roadmap timeline followed by ROI, the current workload of individual developers, and the estimated cost of development.
Ops teams are happy with the tools their organizations use – more than 61% said their tools were the best for the job. And 59% of operations professionals said their recommendations for tools and best practices were followed by their organization. More than half of operations team members surveyed said their organizations continuously deploy, and over one-third deploy somewhere between daily and once a month.
And like their security and developer counterparts, ops pros know the value of a well-running DevOps practice: They said companies are 2.5 times more likely to encounter the most delays in the planning stage if the DevOps model is poor.
Facing the Future
Not surprisingly, all of the survey respondents reported ambitious plans for 2019. Almost two-thirds want to invest in infrastructure to support continuous integration, deployment, and delivery. About half hope to improve automation, while 44% will increase use of containers and 43% will double down on DevOps. And just over one-third plan to expand their use of the cloud.
Developers and security pros also hope to invest more in continuous integration, deployment, and delivery as well as amping up automation and container use. Operations teams are on the CI/CD and automation bandwagons as well, but they're also looking to deepen their commitment to DevOps.