As DevOps Grows, Automation Is Key to App Security
- 1 of
-
As DevOps Grows, Automation Is Key to App Security
Survey shows that mature DevOps teams have found new ways to integrate security at the speed of development, analyzing app security from design to production. -
Breaches Rise in Past Few Years
20% of IT organizations in the 2017 survey had or suspected a breach related to open-source components in the past 12 months, compared to 14% in 2014. -
Too Busy for Security
50% of developers in the current study know security is important but don't have enough time to spend on security practices. -
Devs Outnumber IT and Sec Pros
In the organizations surveyed, developers often outnumber IT operations by 10:1 and application security professionals by 100:1. -
Maturity of DevOps Practices Varies
26% of the respondents described their DevOps practices as very mature, 41% as improving maturity and 33% as immature. -
Security Seen as Hindrance to Agility
47% of the traditional development and operations teams surveyed think security teams and policies slow them down, but only 28% of the mature DevOps teams believe security inhibits agility. -
Leave Us Alone!
54% of the respondents in the study view security pros as "nags" who point out vulnerabilities but can't resolve them. -
Constant Analysis in Mature Organizations
42% of mature DevOps organizations perform application security analyses at every stage of the software delivery lifecycle versus just 27% of all survey respondents. -
Automation Increases With Maturity
58% of highly mature DevOps practices have automated security testing within continuous integration and development compared to only 39% of all respondents. -
Container Security Lags
88% of survey respondents indicated that security was a top concern when deploying containers, yet only 53% leverage security solutions to address this problem. -
Missing Controls Over Components
65% of organizations surveyed lack meaningful controls over the components in their applications. Only 35% keep a complete software bill of materials to help identify new vulnerabilities. -
More Training in Mature Group
85% of those with highly mature DevOps practices had some application security training compared to 70% with immature practices. -
Protection for Running Apps
58% of the survey participants use a Web application firewall, 20% use runtime app self-protection and 17% use a next-generation app firewall.
IT organizations continue to struggle with breaches, which have risen sharply over the past three years. Yet during the same period, the use of secure components has remained flat, suggesting that more organizations must improve their applications' security posture. Those are some of the key findings of the "2017 DevSecOps Community Survey," which included 2,292 IT professionals in the United States, Europe and other parts of the world. DevOps is not all about making software better and faster, the study's authors observed. It also requires making software more safely. As evidenced by this year's survey results, more organizations are transforming their development from waterfall-native to DevOps-native tools and processes. The survey revealed that mature development organizations ensure that automated security is woven into their DevOps practice throughout the lifecycle. "Mature DevOps practices are implementing these new approaches and accelerating their mean time to discover vulnerabilities and improving developer productivity," said Derek Weeks, vice president and DevOps advocate at Sonatype, one of the sponsors of the study. "Development and operations teams who feel security practices are hindering the speed at which they build and release applications should understand that new, automated approaches to security are available." Of the group surveyed, 43 percent of the respondents were developers or in DevOps, with the rest a mix of architects, team leads and other IT roles. In addition to Sonatype, study sponsors included Contino, DZone, Emerasoft, Ranger4 and Signal Sciences.