Managing the Hidden Costs and Challenges of DevSecOps Security
November 25, 2024

Sean Pratt
JFrog

The DevSecOps approach to software development aims to make delivering software faster, more efficient, and significantly more secure. However, the escalating complexity of software supply chains and the applications being built is shifting greater security responsibilities onto developers. This shift is driving up costs and workload, threatening developer productivity and the overall quality of applications. Left unchecked, these pressures can jeopardize the very security that DevSecOps aims to enhance.

The Cost of Inaction in DevSecOps

Developers estimate that they waste about 19% of their weekly hours — equating to 8.16 hours — on security-related tasks. This accumulation translates to a staggering $28,100 wasted per developer each year. Alarmingly, the burden of security tasks is climbing, with developers increasingly dedicating their time to fixing vulnerabilities. This reality is not just a financial burden; it erodes job satisfaction, destroys work-life balance, and leads to burnout and higher turnover rates.

There's a critical distinction among organizations grappling with the high cost of security: those that adopt a reactive approach instead of a proactive one.

Proactive vs. Reactive: The Heart of Efficiency

Oftentimes organizations that are new to DevSecOps establish a more reactive approach to security wherein developers scramble to remediate vulnerabilities in later stages of the software development lifecycle (SDLC). The better approach is to design a proactive strategy that weaves security into every stage of the software development process. By identifying and mitigating potential vulnerabilities early in the process, developers won't need to spend time backtracking, thus enhancing productivity and security.

Where Is Time Being Wasted?

While integrating security into every facet of software development is indispensable, it's still siphoning a lot of developers' attention and time. There are two primary activities that drain developer time: context switching and manual reviews:

Context switching happens when developers must shift focus between different tools and tasks. Unfortunately, with developers juggling between 11 to 14 DevSecOps tools, frequent changes in focus slow productivity. Fewer, more tightly integrated tools could streamline responsibilities, reducing errors and wasted time.

Manual Reviews: Developers also lose time manually reviewing security scan results plagued by false positives and duplicates. IDC's report indicates developers spend an average of 3.5 hours weekly addressing security activities like secrets detection, infrastructure-as-code (IaC) scanning, software composition analysis (SCA), and static application security testing (SAST). Why is this so time-consuming? Many secrets detection tasks follow a time-based approach — weekly or monthly — rather than integrating checks into every code review or aligning them with code changes. This fragmented methodology results in potential vulnerabilities slipping through cracks, wasting even more time in remediation if issues go undetected.

Empowering Developers for Success

To truly optimize DevSecOps, organizations must provide developers with the necessary training and support to instill security measures from the outset.
Implementing automated and continuous scanning processes will not only provide real-time feedback but also lessen the manual burden on developers. Organizations must prioritize giving developers access to ongoing secure coding education, bridging the gap between security and DevOps teams. When developers are poised to incorporate security into the early stages of the SDLC, the entire process becomes instinctive and efficient.

By scrutinizing and refining DevSecOps practices, offering continuous training, and leveraging effective tools, organizations can bolster their security posture while alleviating the hidden burdens on development teams. This holistic approach not only enhances security outcomes but also cultivates a more productive and efficient software supply chain.

Sean Pratt is Senior DevSecOps Evangelist at JFrog
Share this

Industry News

February 18, 2025

Check Point® Software Technologies Ltd.(link is external) announced that its Check Point CloudGuard solution has been recognized as a Leader across three key GigaOm Radar reports: Application & API Security, Cloud Network Security, and Cloud Workload Security.

February 13, 2025

LaunchDarkly announced the private preview of Warehouse Native Experimentation, its Snowflake Native App, to offer Data Warehouse Native Experimentation.

February 13, 2025

SingleStore announced the launch of SingleStore Flow, a no-code solution designed to greatly simplify data migration and Change Data Capture (CDC).

February 13, 2025

ActiveState launched its Vulnerability Management as a Service (VMaas) offering to help organizations manage open source and accelerate secure software delivery.

February 12, 2025

Genkit for Node.js is now at version 1.0 and ready for production use.

February 12, 2025

JFrog signed a strategic collaboration agreement (SCA) with Amazon Web Services (AWS).

February 12, 2025

mabl launched of two new innovations, mabl Tools for Playwright and mabl GenAI Test Creation, expanding testing capabilities beyond the bounds of traditional QA teams.

February 11, 2025

Check Point® Software Technologies Ltd.(link is external) announced a strategic partnership with leading cloud security provider Wiz to address the growing challenges enterprises face securing hybrid cloud environments.

February 11, 2025

Jitterbit announced its latest AI-infused capabilities within the Harmony platform, advancing AI from low-code development to natural language processing (NLP).

February 11, 2025

Rancher Government Solutions (RGS) and Sequoia Holdings announced a strategic partnership to enhance software supply chain security, classified workload deployments, and Kubernetes management for the Department of Defense (DOD), Intelligence Community (IC), and federal civilian agencies.

February 10, 2025

Harness and Traceable have entered into a definitive merger agreement, creating an advanced AI-native DevSecOps platform.

February 10, 2025

Endor Labs announced a partnership with GitHub that makes it easier than ever for application security teams and developers to accurately identify and remediate the most serious security vulnerabilities—all without leaving GitHub.

February 06, 2025

GitHub announced a wave of new features and enhancements to GitHub Copilot to streamline coding tasks based on an organization’s specific ways of working.

February 06, 2025

Mirantis launched k0rdent, an open-source Distributed Container Management Environment (DCME) that provides a single control point for cloud native applications – on-premises, on public clouds, at the edge – on any infrastructure, anywhere.

February 06, 2025

Hitachi Vantara announced a new co-engineered solution with Cisco designed for Red Hat OpenShift, a hybrid cloud application platform powered by Kubernetes.