DevSecOps: Strategies, Organizational Benefits and Challenges
DevSecOps incorporates security best practices throughout software development as a way to speed up deployment while reducing risk. How prevalent is DevSecOps, and what are the top benefits and challenges associated with this approach?
One minute insights:
- DevSecOps adoption on the rise among tech leaders, with half of respondents saying their organization has already adopted it
- GitHub is a common DevSecOps tool
- The DevSecOps strategy of many respondents’ organizations includes implementing defense-in-depth practices, role-based access control (RBAC) and infrastructure as code (IaC)
- A majority of respondents report fewer security incidents with DevSecOps
- Many respondents’ organizations adopted DevSecOps to address concerns about the risks of open source modules and libraries
A majority of tech leaders say their organizations have adopted or plan to adopt DevSecOps
Half (50%) of respondents’ organizations have implemented DevSecOps. 31% say their organizations are in the implementation process, while 11% plan to implement DevSecOps.
Question: Please enter any final thoughts you would like to share on your experience with DevSecOps.
DevSecOps is becoming very important and we need to invest [in] more technology to improve our DevSecOps environment.
n my company, we need to redefine our DevSecOps strategy in order to be aligned to the overall IT and business strategy.
GitHub is a tool choice for tech leaders whose organizations have put DevSecOps into practice
Question: Please enter any final thoughts you would like to share on your experience with DevSecOps.
We are evaluating new tools to strengthen our DevSecOps deployment.
[DevSecOps] is still maturing and there is [a] challenge of so many different tools needing to be combined to have an end-to-end assessment and release criteria.
Respondents see fewer security incidents with DevSecOps implementation. Many face challenges related to tools and developers
Respondents whose organizations have implemented DevSecOps, or are in the process of doing so (n = 244), are most satisfied with application inventory (75%) and automation (74%).
API inventories (14%) and testing (13%) are the components that these respondents are most commonly dissatisfied with.
Two-thirds (66%) of these respondents (n = 244) saw fewer security incidents as a result.
Developer-related issues are a prominent source of organizational challenges according to respondents whose organizations have already implemented or are planning to implement DevSecOps (n = 244). Specifically, developers struggle to use security testing tools (64%), lack an understanding of vulnerabilities (59%), and don’t feel responsible for security (51%).
Question: Please enter any final thoughts you would like to share on your experience with DevSecOps.
Building a culture of security and compliance, and doing that through the shift left approach, yields great success for decreasing incidents and smoothing audits.
It needs [an] organizational operating model that aligns security and dev teams under a common goal/OKRS.
Defense-in-depth practices are often part of organization’s DevSecOps strategies, and knowledge about the DevSecOps framework is important for job candidates
63% of respondents whose organizations have implemented, are implementing or plan to implement DevSecOps (n = 278) include defense-in-depth practices as part of their strategy. 60% include RBAC in their approach, while more than half (54%) include IaC.
When it comes to evaluating candidates for DevSecOps roles, more than half (58%) of these respondents (n = 278) believe it’s important for applicants to know about the DevSecOps framework.
41%
believe it’s important for candidates to have knowledge of specific programming languages. Only 2% think that DevSecOps certification is important for potential hires.
Question: Please enter any final thoughts you would like to share on your experience with DevSecOps.
We have been trying to bring this concept [of DevSecOps] onboard across the entire organisation [and] faced a few challenges upfront with team adoption, etc., but now everyone is settling and we can certainly see its benefits.
With development teams often so spread out across a company, it is hard for a centralized security to even get visibility into all the code being developed. Embedding security champions in each organization has become critical.
Many adopted DevSecOps to address open source risks
Concerns about the risks of open source modules and libraries are motivating almost two-thirds (62%) of respondents to adopt DevSecOps. Almost half (48%) turned to DevSecOps because of delayed releases due to security audits, while 39% were motivated by the need for greater visibility into the CI/CD pipeline.
Question: Please enter any final thoughts you would like to share on your experience with DevSecOps.
As software deployments move to public clouds, security concerns are increasing. It is impossible to have security experts monitor the environments 24x7 and review/check the code for every change. Hence DevSecOps is critical at this time for any company operating a cloud environment.
DevSecOps is the way forward if speed of releases is a priority.
Want more insights like this from leaders like yourself?
Click here to explore the revamped, retooled and reimagined Gartner Peer Community. You'll get access to synthesized insights and engaging discussions from a community of your peers.