Research Report Survey: The 2021 State of DevSecOps

 

Introduction

A pandemic alone did not define the year 2020. Behind the scenes, the digital world was also under threat. Enterprises and government agencies came under major cybersecurity attacks, the most infamous of which compromised SolarWinds, Microsoft, VMware and their clients, including US government agencies (1). Compounding this increase in external threats, the overnight necessity of moving to work-from-home environments wherever possible, without sufficient preparation nor safeguards, created major cybersecurity vulnerabilities.

The urgency of addressing these threats comes from continued advances in digital inter-connectivity that permeate all areas of our lives, both in the workplace and personally. Enabling this progress is faster, more scalable creation and deployment of software applications made possible by the rapid shift to Infrastructure as a Service (IaaS) cloud-based platforms. In this context of accelerated change mixed with an increasing number of hostile attacks, staying “safe and secure” has become a top concern in the digital world as much as that of the physical one. Cybersecurity is now a priority of both nation-states and enterprises alike.

As with all efforts at safety and security, cybersecurity starts with prevention. In the world of software development, this has resulted in the growth of DevSecOps, an approach that literally puts security as a center-point integrated into software development and operations /deployment. Only with this approach can rapid development be balanced with security in creating new software products.

Setting the stage for what to expect of DevSecOps developments in 2021, Security Compass is undertaking a series of in-depth quantitative research projects on the topic. The focus is on large enterprises (US$1B+ in annual revenue) where threats are gravest. Viewpoints are being gathered from CEOs to frontline practitioners, including all levels in between, covering software development and risk management functions. This report provides research highlights from the first set of findings

Keeping Up With Change

Pie chart showing 96% of organizations planning an IaaS transition in 2021, with 4% not planning it. Bar graph depicting the percentage of applications converting to the cloud in 2021: 37% for 50-74% of applications, 31% for 25-49%, 22% for more than 75%, and 10% for less than 25%.

Surveying senior execs and practitioners also quantified what we hear from many in the industry — 75% believe that manual processes for security and compliance hamper the ability to get new products to market.

Our research quantified what we see on the ground floor of many global enterprises – near unanimity in IaaS adoption, accounting for over half of new software application development.

Semi-circle chart showing the impact of manual security/compliance processes on code release speed: 37% say “a lot,” 38% say “a moderate amount,” 18% say “a little,” and 7% say “none.”

Adopting DevSecOps

Bar graph comparing DevSecOps adoption in the US and UK. Categories include majority of apps, minority of apps, planning to adopt, and no plans to adopt.

 

Conversion to Cloud services for application development and deployment brings with it an increasing necessity of DevSecOps adoption, as the interactive report to the right demonstrates.

In meeting these and other challenges, the vast majority of enterprises in the US and UK are adopting DevSecOps for their software application development.

 

The Drivers Of DevSecOps

Bar graph indicating the state of adopting DevSecOps due to cloud migration: not yet implemented but planned, implemented on a minority of apps, and implemented on a majority of apps. Bar graph highlighting drivers of DevSecOps programs: 54% for improving security, 30% for bringing technology to market faster, 10% for reducing organizational silos, and 6% for reducing costs.

As well, goals vary based on the state of DevSecOps maturity. Large enterprises that are still in the planning stages are more likely to cite goals of “bringing technology to market faster” and “reduce costs” as a reason to adopt DevSecOps versus “improve security, quality and/or resilience”. Along with security threats, these goals undoubtedly prompt them towards DevSecOps adoption.

Large enterprises, from major financial institutions to the US DoD, have well documented DevSecOps challenges (2,3). Their environments are notable for having high IT complexity and for enduring high security pressures (4). In light of the formidable obstacles that large, complex enterprises face, market surveys of them were undertaken.

The findings demonstrate alignment on improved security, quality and resilience as the #1 priority for DevSecOps programs. As illustrated in the interactive chart to the left, adopting a “security by design” approach is for many enterprises consistent with their goals of “bringing technology to market faster”.

Bar graph displaying drivers of DevSecOps programs based on implementation stages: 54% for improving security, 30% for bringing technology to market faster, 10% for reducing organizational silos, and 6% for reducing costs.

Challenges

Bar graph showing security and compliance processes like risk assessments, secure coding guidelines, developer training, threat modeling, and privacy by design. Another bar graph below showing challenges in DevSecOps implementation such as technical challenges, cost, insufficient time to adopt, lack of education, lack of skills/talent, and political/organizational challenges.

Time To Market

Stacked bar graph comparing proactive and reactive processes. For proactive processes: 22% strongly agree, 27% agree, 22% neutral, 16% disagree, and 12% strongly disagree. For reactive processes: 14% strongly agree, 39% agree, 14% neutral, 18% disagree, and 14% strongly disagree. Pie chart showing 80% agree/strongly agree on time-to-market issues.

Approximately half of C-Suite executives believe that both reactive and proactive software security processes slow their time to market. Even stronger than the C-Suite in these views, the vast majority of professionals tasked with “getting the job done” either agree or strongly agree that security and compliance processes slow down their time to market which affects their competitiveness. Risk personnel more so than Tech are concerned about this issue.

Asked what the specific time to market issues are, DevSecOps personnel pointed to insufficient automation as #1, along with technical challenges and organizational silos. Among those who are fully adopting Cloud services in 2021, insufficient automation is #1.

Bar graph illustrating challenges like insufficient automation, lack of tooling, organizational barriers, lack of education, and not enough qualified experts.

Automate

Infographic stating automation is a high priority, with 84% agreeing or strongly agreeing to allocate budget and 96% considering it a major/medium priority in 2021.

The necessity of DevSecOps increases in tandem with increases in the breadth and complexity of software products. No small wonder that cybersecurity automation is on the minds of CxOs, executives and practitioners alike. Diving into specific tasks such as Risk Assessments and Threat Modeling, the time automation saves is clear. Physician heal thyself.

An image showing two bar charts comparing the time taken to perform threat modeling and risk assessments. Time intervals are categorized as weeks, days, hours, and minutes (automated).

As automation is rolled out to cloud applications, automation becomes a necessity. Taking a DevSecOps approach to software development requires automation.

An image illustrating interest in automated solutions correlated with IaaS conversion rates. Bar charts display the levels of agreement (strongly agree, agree, neither) across different percentages of app conversions to IaaS (<25%, 26-50%, 51-75%, 76-100%).

Conclusion

Recognizing that many of the breaches and vulnerabilities that occur with software products are a result of human error in design, it is critical to build security into the software development lifecycle from the very beginning. At the same time, security and risk practitioners need to balance the organization’s need for delivering software to users quickly. Integration of security into software development at each stage while maintaining speed can only be done through automation. For enterprises that embrace this DevSecOps approach, people become “part of the solution” rather than “the problem” (6).

Certainly, living in an era of a pandemic has brought with it further ills, including a rapid increase in cybersecurity threats. Some estimates put cyberattack increases as high as three to five times compared to pre-pandemic (7). Unfortunately, even with the human virus finally brought under control, the threats to software will continue unabated. Recognizing this reality, Security Compass takes a security and compliance approach that begins with the very first lines of code written and then guides the process throughout the entire software development lifecycle. Rather than slowing the process, putting in place the proper guardrails, providing training, and automating security and compliance processes speeds, not impedes, the time to market for new software.

Security Compass offers the industry’s first Balanced Development Automation (BDA) platform, in recognition of which “SD Elements” was named the 2020 Application Security Solution of the Year by the Cybersecurity Breakthrough Awards. SD Elements acts as a guide through every step of the software development process and delivers security and compliance instructions throughout the build. By injecting security and compliance early into the application development process, organizations are able to get their products faster to market while improving security.