DevSecOps

Aqua Security Survey Finds Sharp Rise in DevSecOps

A new survey of 80 cybersecurity professionals that attended the recent RSA Conference 2018 event finds the number of organizations that have a formal or informal DevSecOps team in place has increased by several orders of magnitude year over year.

The survey, conducted by Aqua Security, finds 62 percent of respondents have a formal or informal DevSecOps team. That’s up from last year, during which a similar survey found only 13 percent of respondents had a DevSecOps team in place.

It’s still early days when it comes to implementing DevSecOps processes. But Andy Feit, vice president of go-to-market for Aqua Security, said the survey also makes it clear that these formal and informal DevSecOps teams have access to budget dollars. More than three-quarters of respondents (76 percent) said their application security budget has increased over the past five years. One-quarter (25 percent) reported the application security budget went up between 10 percent and 30 percent, and another 14 percent said budget dollars being allocated to application security increased by more than 40 percent.

Well over half of respondents (57 percent) said they have the human and financial resources in place to implement DevSecOps. A total of 70 percent of respondents said they believe their culture can embrace the change needed to fuse security and DevOps. Nearly half the respondents (47 percent) reported they are fairly or very mature in their implementation of DevSecOps, while another 39 percent ranked themselves as maturing.

The three most important elements of DevSecOps as ranked by respondents ranked applying security across the app life cycle (61 percent), automating application security controls (52 percent) and involving DevOps in security processes (43 percent).

The shift to DevSecOps is occurring in tandem with increased reliance on microservices that are based on containers. As that shift occurs, Feit said IT organizations are rethinking their approach to application security. In delivering applications as a series of microservices, it becomes critical to apply a more granular approach to securing those applications that developers can apply as they build applications. Cybersecurity professionals will then be able to focus more of their efforts on crafting the security polices that developers implement, he said.

It may take a while longer before cybersecurity professionals gain enough confidence in containers to deploy them on physical servers with relying on a hypervisor to provide isolation. But it’s also now only a matter of time before developers insist on deploying containers applications on bare-metal servers to attain the maximum amount of performance possible by eliminating all the overhead added by a virtual machine. As that shift occurs, IT organizations will need new tools to secure and manage containers running on bare-metal servers.

As the same time, it’s clear that securing all those containers will require new processes such as DevSecOps because instead of patching applications to remediate them, developers will more easily replace specific containers to add new functions. Less clear is whether the adoption of DevSecOps will be driven from the top down or more as a grassroots initiative driven by the mutual self-interest of developers and IT security professionals. Regardless of the approach, cybersecurity as it is known today will not only be much different, but also arguably better.

Mike Vizard

Mike Vizard

Mike Vizard is a seasoned IT journalist with over 25 years of experience. He also contributed to IT Business Edge, Channel Insider, Baseline and a variety of other IT titles. Previously, Vizard was the editorial director for Ziff-Davis Enterprise as well as Editor-in-Chief for CRN and InfoWorld.

Recent Posts

Building an Open Source Observability Platform

By investing in open source frameworks and LGTM tools, SRE teams can effectively monitor their apps and gain insights into…

17 hours ago

To Devin or Not to Devin?

Cognition Labs' Devin is creating a lot of buzz in the industry, but John Willis urges organizations to proceed with…

18 hours ago

Survey Surfaces Substantial Platform Engineering Gains

While most app developers work for organizations that have platform teams, there isn't much consistency regarding where that team reports.

1 day ago

EP 43: DevOps Building Blocks Part 6 – Day 2 DevOps, Operations and SRE

Day Two DevOps is a phase in the SDLC that focuses on enhancing, optimizing and continuously improving the software development…

1 day ago

Survey Surfaces Lack of Significant Observability Progress

A global survey of 500 IT professionals suggests organizations are not making a lot of progress in their ability to…

1 day ago

EP 42: DevOps Building Blocks Part 5: Flow, Bottlenecks and Continuous Improvement

In part five of this series, hosts Alan Shimel and Mitch Ashley are joined by Bryan Cole (Tricentis), Ixchel Ruiz…

1 day ago