IT professionals are recognizing the weaknesses of DevOps and are looking for ways to improve. Security is the main gripe many people have. This has led to increased popularity in DevSecOps. Sonatype recently released a survey where they talked with over two thousand IT professionals about DevOps and where they utilize security.
The data collected placed respondents into three different brackets. Mature DevOps practices, improving, and immature practices. Mature represented 25% of respondents, improving was 49%, and immature was 26%. Of all groups combined, only “48% of developers know security is important, but don’t have enough time to spend on it.”
So, if so few developers are mature in their DevOps, and less than half can’t spend time on it, where does security come in? This varies tremendously, but its clear that mature DevOps teams have a better understanding of security. 57% of mature DevOps teams have security throughout their development pipeline, while only 13% of non-DevOps teams do the same. The study states, “Mature DevOps practices are 338% more likely to integrate automated security.” This is an enormous difference and emphasizes the importance of DevOps.
High profile security breaches have become the norm lately. Has this increased interest in DevSecOps practices? It’s mixed, according to this study. Only 45% of non-DevOps companies expressed intrigue for DevSecOps. Pair that with the fact these companies also have less dedication to security, and they’re bound for trouble.
Many of these security breaches can be attributed to poor open-source component practices. Equifax is a common example of this. 31% of the surveyed professionals suspect or have verified a breach related to open source components in the last year. Considering this is only verified or suspected breaches, the reality is, this number is much higher.
Open source components
The data in this report displays that 62% of organizations don’t have meaningful controls over what components are in their applications. This is incredibly problematic. Open source components are one of the fundamental fixtures of modern application development, but any practice without security is flawed.
Beyond this, of the non-DevOps companies, 58% have an open source governance policy. Which doesn’t sound terrible, but 46% of these respondents ignore it. For mature DevOps teams, the numbers go up to 77% with 24% ignoring it.
Security professionals left out
The most disappointing result of this survey, in my opinion, is that 72% of respondents see security professionals as a “nag.” This is incredibly problematic. With the increased security breaches and the problematic nature of open source components, security professionals need to be taken seriously.
Seeing them as a nag emphasizes the lack of legitimacy they’re given. DevOps is about breaking down IT silos, security should be a part of this. A culture of inclusion is what makes DevOps stand out from traditional IT practices.
Open source components are a fixture of containers. Sometimes this can be great, but sometimes it’s not. How companies deal with this is what separates good from great software development.
63% of mature DevOps teams use security products to identify container vulnerabilities. While only 23% of non-DevOps teams. This kind of negligence is problematic and likely the cause of many of the container related breaches.
Latest posts by Tyler W. Stearns (see all)
- The Importance of Cloud Automation and How to Get There - July 3, 2018
- Key Takeaways: Gartner Magic Quadrant for Project Portfolio Management - June 27, 2018
- Cloud Academy Skill Profiles – Harness Data to Close Tech Skill Gaps - June 26, 2018