A new survey of 80 cybersecurity professionals that attended the recent RSA Conference 2018 event finds the number of organizations that have a formal or informal DevSecOps team in place has increased by several orders of magnitude year over year.

The survey, conducted by Aqua Security, finds 62 percent of respondents have a formal or informal DevSecOps team. That’s up from last year, during which a similar survey found only 13 percent of respondents had a DevSecOps team in place.

It’s still early days when it comes to implementing DevSecOps processes. But Andy Feit, vice president of go-to-market for Aqua Security, said the survey also makes it clear that these formal and informal DevSecOps teams have access to budget dollars. More than three-quarters of respondents (76 percent) said their application security budget has increased over the past five years. One-quarter (25 percent) reported the application security budget went up between 10 percent and 30 percent, and another 14 percent said budget dollars being allocated to application security increased by more than 40 percent.

Well over half of respondents (57 percent) said they have the human and financial resources in place to implement DevSecOps. A total of 70 percent of respondents said they believe their culture can embrace the change needed to fuse security and DevOps. Nearly half the respondents (47 percent) reported they are fairly or very mature in their implementation of DevSecOps, while another 39 percent ranked themselves as maturing.

The three most important elements of DevSecOps as ranked by respondents ranked applying security across the app life cycle (61 percent), automating application security controls (52 percent) and involving DevOps in security processes (43 percent).

The shift to DevSecOps is occurring in tandem with increased reliance on microservices that are based on containers. As that shift occurs, Feit said IT organizations are rethinking their approach to application security. In delivering applications as a series of microservices, it becomes critical to apply a more granular approach to securing those applications that developers can apply as they build applications. Cybersecurity professionals will then be able to focus more of their efforts on crafting the security polices that developers implement, he said.

It may take a while longer before cybersecurity professionals gain enough confidence in containers to deploy them on physical servers with relying on a hypervisor to provide isolation. But it’s also now only a matter of time before developers insist on deploying containers applications on bare-metal servers to attain the maximum amount of performance possible by eliminating all the overhead added by a virtual machine. As that shift occurs, IT organizations will need new tools to secure and manage containers running on bare-metal servers.

As the same time, it’s clear that securing all those containers will require new processes such as DevSecOps because instead of patching applications to remediate them, developers will more easily replace specific containers to add new functions. Less clear is whether the adoption of DevSecOps will be driven from the top down or more as a grassroots initiative driven by the mutual self-interest of developers and IT security professionals. Regardless of the approach, cybersecurity as it is known today will not only be much different, but also arguably better.

— Mike Vizard