While there’s clearly a lot of interest in best DevSecOps processes, a survey of more than 3,000 DevOps practitioners suggests adopting DevSecOps will require a lot of patience and perseverance.
The “2019 State of DevOps Report,” co-written by Puppet, CircleCI and Splunk, ranks respondents on a scale of High, Medium and Low in terms of their overall DevOps. Compared to last year, the survey suggests there hasn’t been a lot of collective progress. Most companies (79%) are in the Medium group, which is the same as 2018. Only 14% are in the High group, a 3% increase over last year.
Organizations in the high group also tend to have the highest level of security baked into their application development and deployment processes. The survey defines the five best practices for security integration as:
- Security and development teams collaborate on threat models.
- Security tools are integrated into the development integration pipeline so engineers can be confident they’re not inadvertently introducing known security problems into their codebases.
- Security requirements—both functional and non-functional—are prioritized as part of the product backlog.
- Infrastructure-related security policies are reviewed before deployment.
- Security experts evaluate automated tests and are called upon to review changes in high-risk areas of the code.
There’s no absolute correlation between the High Group for DevOps and those organizations that have embedded cybersecurity into their best practices. However, the survey does find that organizations that have high levels of security integration (61%) are on average about to deploy applications on-demand better than those that have not integrated security (49%). The survey finds 22% of the organizations at the highest level of security integration have also reached an advanced stage of DevOps evolution. Clearly, many of those organizations are able to achieve that goal because of the time and effort they put into embracing DeOps before moving on to master DevSecOps.
However, the survey also finds that organizations that have high levels of cybersecurity integration are not dramatically faster at remediating vulnerabilities than those that don’t. On the plus side, organizations that have deeper security integration are able to more effectively prioritize security improvements over feature delivery and also are better able to halt a push to production to address a security issue. Overall, 82% of survey respondents at firms with the highest level of security integration said their security policies and practices significantly improve their organization’s security posture.
Nigel Kersten, Field CTO at Puppet, said the survey results make it clear that DevSecOps is still a messy process inside most organizations. In fact, Kersten noted, there is no apparent advantage to having cybersecurity professionals participating in every sprint versus making them available as a central resource so long as all the participants are committed to collaboration.
Kersten said there is still a lot of progress that needs to be made securing basic infrastructure, much less the applications deployed on top of it. Merely telling the organization to shift security to the left is not going to suffice.
Nevertheless, organizations that do lay aside their internal biases to embrace best DevSecOps practices often become more agile than those that don’t.