Strong DevOps Leads to Stronger Security
August 05, 2019

Valerie Silverthorne
GitLab

Want to get to DevSecOps? Start by developing mature DevOps practices. Security pros report an established DevOps team is three times more likely to find bugs before code is merged and 90% more likely to test between 91% and 100% of code than early-stage efforts. Those findings, from GitLab's 2019 Global Developer Report: DevSecOps, reflect the experience of more than 4,000 developer, security, and operations professionals across various industries, roles, and geographic locations.

Not surprisingly, the survey showed that DevOps done right provides an enormous benefit to companies trying to deliver quality software faster. Nearly half of mature DevOps teams reported daily continuous deployment in at least one part of their organizations, while 89% said a solid DevOps team leads to greater insight into what the team is working on. Developers said they are 1.4 times more likely to feel innovative when they're part of a mature DevOps team, while security pros said effective DevOps helps dramatically reduce the red tape involved in bug remediation. And operations team members are 1.8 times more likely to get sufficient notice to support developer efforts in an established DevOps environment.

But there's no question that for most companies, DevOps is still a work in progress. Only about one-third of the survey respondents rated their companies' DevOps efforts as "good." Roughly 50% of all survey respondents called out testing as most likely to delay development, a fact which underscores the continuing struggle to incorporate automation in to the mix. And despite the clear benefits to security from a mature DevOps practice, the inverse is true: An immature or troubled DevOps team will discover bugs late, battle to get developers on board for remediation and find innovation difficult if not impossible.

So while the benefits of DevOps are clear, the disadvantages of poor DevOps are just as obvious. Here's a quick snapshot of where each group stands relative to DevOps.

Developers and DevOps

The developers surveyed were a relatively upbeat group. Nearly 60% said their organization's development processes were set up to help them succeed and 63% said those processes help them nnovate. More than 50% are very happy with the tools they use. Scrum is the most popular development method at 50%, followed by Kanban (37%) and DevOps (36%). Just 17% use waterfall.

Barriers between dev and ops remain. Only about one-third of developers felt operations were able to quantify and document their work and less than half think operations gets sufficient notice to support them.

About 70% of developers said they are expected to write secure code, but comments offered during the survey made it clear the mechanisms to make that happen remain elusive at most organizations.

And while DevOps isn't quite an established development currency, it's clear to developers what happens when DevOps isn't done well: 88% of those working at companies with a poor DevOps model don't feel their development processes are designed to help them succeed.

Security and DevSecOps

The survey respondents use a variety of application security methods to identify problems. Dependency scanning is the most popular at 56%, followed by cloud security (42%), container security (41%), SAST (35 %), license compliance (29%t) and DAST at 22%. All told, 12% of security teams test between 61-75% of the code.

Automation, though vital for successful DevOps, remains a challenge to implement. Roughly a third of respondents rely on security testing results from the developer pipeline report or use automated SAST in the CI/CD pipeline. And 25% said they don't know how their team automates software testing.

But thanks to DevOps there is steady progress when it comes to bringing developers in to the security process. Half of those surveyed said coders receive and address security feedback during the development process and 44% report that security vulnerabilities are a performance metric for developers in their organizations.

Like the other groups, security pros see the value of a strong DevOps practice particularly when it comes to finding or fixing bugs. A majority of security professionals said not doing DevOps well makes it 2.6 times more likely they have to deal with red tape in order to remediate potential security risks.

Thoughts on Operations

As far as ops pros are concerned, it's DevOps for the win. A full 70% said they practice DevOps, followed by Scrum (61%) and Kanban (43%). And their priorities are clear; operations pros pay attention first to the product roadmap timeline followed by ROI, the current workload of individual developers, and the estimated cost of development.

Ops teams are happy with the tools their organizations use – more than 61% said their tools were the best for the job. And 59% of operations professionals said their recommendations for tools and best practices were followed by their organization. More than half of operations team members surveyed said their organizations continuously deploy, and over one-third deploy somewhere between daily and once a month.

And like their security and developer counterparts, ops pros know the value of a well-running DevOps practice: They said companies are 2.5 times more likely to encounter the most delays in the planning stage if the DevOps model is poor.

Facing the Future

Not surprisingly, all of the survey respondents reported ambitious plans for 2019. Almost two-thirds want to invest in infrastructure to support continuous integration, deployment, and delivery. About half hope to improve automation, while 44% will increase use of containers and 43% will double down on DevOps. And just over one-third plan to expand their use of the cloud.

Developers and security pros also hope to invest more in continuous integration, deployment, and delivery as well as amping up automation and container use. Operations teams are on the CI/CD and automation bandwagons as well, but they're also looking to deepen their commitment to DevOps.

Valerie Silverthorne is Senior Content Editor at GitLab
Share this

Industry News

December 19, 2024

Check Point® Software Technologies Ltd. has been recognized as a Leader in the 2024 Gartner® Magic Quadrant™ for Email Security Platforms (ESP).

December 19, 2024

Progress announced its partnership with the American Institute of CPAs (AICPA), the world’s largest member association representing the CPA profession.

December 18, 2024

Kurrent announced $12 million in funding, its rebrand from Event Store and the official launch of Kurrent Enterprise Edition, now commercially available.

December 18, 2024

Blitzy announced the launch of the Blitzy Platform, a category-defining agentic platform that accelerates software development for enterprises by autonomously batch building up to 80% of software applications.

December 17, 2024

Sonata Software launched IntellQA, a Harmoni.AI powered testing automation and acceleration platform designed to transform software delivery for global enterprises.

December 17, 2024

Sonar signed a definitive agreement to acquire Tidelift, a provider of software supply chain security solutions that help organizations manage the risk of open source software.

December 17, 2024

Kindo formally launched its channel partner program.

December 16, 2024

Red Hat announced the latest release of Red Hat Enterprise Linux AI (RHEL AI), Red Hat’s foundation model platform for more seamlessly developing, testing and running generative artificial intelligence (gen AI) models for enterprise applications.

December 16, 2024

Fastly announced the general availability of Fastly AI Accelerator.

December 12, 2024

Amazon Web Services (AWS) announced the launch and general availability of Amazon Q Developer plugins for Datadog and Wiz in the AWS Management Console.

December 12, 2024

vFunction released new capabilities that solve a major microservices headache for development teams – keeping documentation current as systems evolve – and make it simpler to manage and remediate tech debt.

December 11, 2024

CyberArk announced the launch of FuzzyAI, an open-source framework that helps organizations identify and address AI model vulnerabilities, like guardrail bypassing and harmful output generation, in cloud-hosted and in-house AI models.

December 11, 2024

Grid Dynamics announced the launch of its developer portal.

December 10, 2024

LTIMindtree announced a strategic partnership with GitHub.