DevSecOps: Strategies, Organizational Benefits and Challenges
DevSecOps incorporates security best practices throughout software development as a way to speed up deployment while reducing risk. How prevalent is DevSecOps, and what are the top benefits and challenges associated with this approach?
One minute insights:
DevSecOps adoption on the rise among tech leaders, with half of respondents saying their organization has already adopted it
GitHub is a common DevSecOps tool
The DevSecOps strategy of many respondents’ organizations includes implementing defense-in-depth practices, role-based access control (RBAC) and infrastructure as code (IaC)
A majority of respondents report fewer security incidents with DevSecOps
Many respondents’ organizations adopted DevSecOps to address concerns about the risks of open source modules and libraries
A majority of tech leaders say their organizations have adopted or plan to adopt DevSecOps
Half (50%) of respondents’ organizations have implemented DevSecOps. 31% say their organizations are in the implementation process, while 11% plan to implement DevSecOps.
Has your organization implemented DevSecOps?*
n = 300
Note: May not add to 100% due to rounding
*Respondents who answered “not sure” were eliminated from the survey.
When will you begin implementing DevSecOps?
Among those respondents whose organizations plan to implement DevSecOps (n = 34), nearly half (47%) say they will do so within the next four to six months.
n = 34
Note: May not add to 100% due to rounding
Question shown only to respondents who answered “no, but it’s in our plans” to the question “Has your organization implemented DevSecOps?”
Not sure 0%
Please join or sign in to view more content.
By joining the Peer Community, you'll get:
- Peer Discussions and Polls
- One-Minute Insights
- Connect with like-minded individuals
Question: Please enter any final thoughts you would like to share on your experience with DevSecOps.
DevSecOps is becoming very important and we need to invest [in] more technology to improve our DevSecOps environment.
n my company, we need to redefine our DevSecOps strategy in order to be aligned to the overall IT and business strategy.
GitHub is a tool choice for tech leaders whose organizations have put DevSecOps into practice
Which tool(s) are you using for DevSecOps? Select all that apply.
When it comes to DevSecOps tooling, GitHub is most commonly used (61%) among respondents whose organizations have implemented DevSecOps or are in the process of doing so (n = 244). Almost one-third (32%) use GitLab.
NTT Application Security 18% | SonarQube 17% | HCLSoftware 16% | Aqua Security 12% | Contrast Security 10% | Checkmarx 9% | Veracode 9% | Rapid7 9% | Snyk 8% | Data Theorem 7% | Invicti 7% | Micro Focus 5% | Synopsys 4% | Onapsis 2% | Other (Arctic Wolf, Astra Security, Bitbucket, JFrog Xray) 2% | ThreatModeler 2% | Sysdig Secure 1% | None of these <1%
n = 244
Question shown only to respondents who answered “yes” or “implementation is in progress” to the question “Has your organization implemented DevSecOps?”
Question: Please enter any final thoughts you would like to share on your experience with DevSecOps.
We are evaluating new tools to strengthen our DevSecOps deployment.
[DevSecOps] is still maturing and there is [a] challenge of so many different tools needing to be combined to have an end-to-end assessment and release criteria.
Respondents see fewer security incidents with DevSecOps implementation. Many face challenges related to tools and developers
Respondents whose organizations have implemented DevSecOps, or are in the process of doing so (n = 244), are most satisfied with application inventory (75%) and automation (74%).
API inventories (14%) and testing (13%) are the components that these respondents are most commonly dissatisfied with.
How satisfied are you with the following DevSecOps components at your organization?
n = 244
Question shown only to respondents who answered “yes” or “implementation is in progress” to the question “Has your organization implemented DevSecOps?”
Two-thirds (66%) of these respondents (n = 244) saw fewer security incidents as a result.
What benefits have you seen in your organization as a result of implementing DevSecOps? Select all that apply.
n = 244
Improved runtime protection 27% | Increased observability 25% | Faster release cycles 23% | Increased confidence in development team among leadership 18% | Improved traceability 15% | Shorter feedback cycles 14% | Improved team morale 7% | None of these 1% | Other 0%
Question shown only to respondents who answered “yes” or “implementation is in progress” to the question “Has your organization implemented DevSecOps?”
What technical challenges have you experienced with DevSecOps in your organization? Select all that apply.
However, 60% of these respondents (n = 244) experienced problems implementing their security tools. 57% encountered complexities related to cloud, and 51% experienced issues with integrations.
Data capture and analysis limitations 30% | Legacy systems 27% | None of these 1% | Other 0%
n = 244
Question shown only to respondents who answered “yes” or “implementation is in progress” to the question “Has your organization implemented DevSecOps?”
Developer-related issues are a prominent source of organizational challenges according to respondents whose organizations have already implemented or are planning to implement DevSecOps (n = 244). Specifically, developers struggle to use security testing tools (64%), lack an understanding of vulnerabilities (59%), and don’t feel responsible for security (51%).
What organizational challenges have you experienced with DevSecOps in your organization? Select all that apply.
n = 244
Skills gaps (i.e., current resources lack necessary skills) 22% | Security feedback is not timely 15% | Lack of resources 13% | Hard to define ROI 12% | Security feedback is not actionable 11% | Costs 8% | Employee buy-in (i.e., cultural resistance to DevSecOps processes/tools) 8% | Executive buy-in (i.e., unwilling to invest in DevSecOps tools or training) 6% | None of these 0% | Other 0%
Question shown only to respondents who answered “yes” or “implementation is in progress” to the question “Has your organization implemented DevSecOps?”
Question: Please enter any final thoughts you would like to share on your experience with DevSecOps.
Building a culture of security and compliance, and doing that through the shift left approach, yields great success for decreasing incidents and smoothing audits.
It needs [an] organizational operating model that aligns security and dev teams under a common goal/OKRS.
Defense-in-depth practices are often part of organization’s DevSecOps strategies, and knowledge about the DevSecOps framework is important for job candidates
63% of respondents whose organizations have implemented, are implementing or plan to implement DevSecOps (n = 278) include defense-in-depth practices as part of their strategy. 60% include RBAC in their approach, while more than half (54%) include IaC.
What practices are included in your DevSecOps strategy? Select all that apply.
n = 278
Software composition analysis (SCA) 33% | Build strategies (e.g., multi-stage dockerfile builds, standardized labeling) 19% | Regular security training for developers 15% | Containers never run as root 14% | Developers must pull from known registries only 12% | Pre-commit hooks 9% | Avoid privileged containers 9% | Cut unnecessary capabilities 9% | Secure secret injection 8% | Read-only file system 4% | Mutation detection 4% | Notary services (e.g., to ensure images are immutable) 1% | None of these 1% | Other 0%
Question not shown to respondents who answered “no, but it’s been discussed” or “no, and we don’t plan to” to the question “Has your organization implemented DevSecOps?”
When it comes to evaluating candidates for DevSecOps roles, more than half (58%) of these respondents (n = 278) believe it’s important for applicants to know about the DevSecOps framework.
41%
believe it’s important for candidates to have knowledge of specific programming languages. Only 2% think that DevSecOps certification is important for potential hires.
Which of the following factors are most important to you when evaluating candidates for DevSecOps roles? Select up to three.
Problem solving skills 33% | Security skills (e.g., implementing authentication measures, identifying vulnerabilities) 27% | Knowledge of specific DevSecOps tools 24% | Willingness to learn continuously 16% | Collaboration skills 13% | Communication skills 12% | Commitment to DevSecOps philosophy 7% | Familiarity with applicable regulations (i.e., understanding how to ensure compliance) 7% | Proficiency with automation tools 6% | Not sure 5% | DevSecOps certification 2% | None of these 0% | Other 0%
n = 278
Question not shown to respondents who answered “no, but it’s been discussed” or “no, and we don’t plan to” to the question “Has your organization implemented DevSecOps?”
Question: Please enter any final thoughts you would like to share on your experience with DevSecOps.
We have been trying to bring this concept [of DevSecOps] onboard across the entire organisation [and] faced a few challenges upfront with team adoption, etc., but now everyone is settling and we can certainly see its benefits.
With development teams often so spread out across a company, it is hard for a centralized security to even get visibility into all the code being developed. Embedding security champions in each organization has become critical.
Many adopted DevSecOps to address open source risks
Concerns about the risks of open source modules and libraries are motivating almost two-thirds (62%) of respondents to adopt DevSecOps. Almost half (48%) turned to DevSecOps because of delayed releases due to security audits, while 39% were motivated by the need for greater visibility into the CI/CD pipeline.
What were the strongest motivations driving your decision to adopt DevSecOps? Select up to three.
n = 278
Increased attack surface 18% | Cyberattacks/security incidents (i.e., vulnerabilities in your code have been exploited by bad actors in the past) 17% | Need for greater risk mitigation 17% | Risks associated with kubernetes (e.g., misconfiguration) 17% | Low developer morale 16% | Absence of unified governance 14% | None of these <1% | Other 0%
Question not shown to respondents who answered “no, but it’s been discussed” or “no, and we don’t plan to” to the question “Has your organization implemented DevSecOps?”
Question: Please enter any final thoughts you would like to share on your experience with DevSecOps.
As software deployments move to public clouds, security concerns are increasing. It is impossible to have security experts monitor the environments 24x7 and review/check the code for every change. Hence DevSecOps is critical at this time for any company operating a cloud environment.
DevSecOps is the way forward if speed of releases is a priority.
Want more insights like this from leaders like yourself?
Click here to explore the revamped, retooled and reimagined Gartner Peer Community. You'll get access to synthesized insights and engaging discussions from a community of your peers.
Respondent Breakdown
Note: May not add up to 100% due to rounding