GitLab Inc., the single application for the DevOps lifecycle, has released the results of its fifth annual DevSecOps survey, uncovering how roles across software development teams have changed as DevOps teams mature. The survey of nearly 4,300 respondents from around the world found DevOps teams dramatically increased the pace of technology adoption which allowed them to take larger steps toward DevSecOps, increased release speeds and advanced automation.
“This year’s Global DevSecOps Survey shows that 2020 was a catalyst for DevOps maturation,” said Eric Johnson, CTO at GitLab. “Teams worldwide worked to streamline development cycles and deliver faster release time than ever before, all while adjusting to remote work and shifting priorities to meet the high demands of last year. We believe we will see improvements in testing as more teams adopt tools to automate the parts of DevSecOps that have continuously caused cycles to slow down.”
Based on the 2021 survey results, the COVID-19 pandemic enforced the broad adoption of remote work, which in turn energized teams to focus on embracing cutting edge DevOps technologies such as Kubernetes, machine learning/artificial intelligence (ML/AI) and cloud computing. In the past year, DevOps matured and fully arrived with these technology adoptions, but there are still roadblocks to navigate before achieving true DevSecOps.
DevOps Gets Automated and Ops Teams Reprioritize for 2021
Like last year, the 2021 report found that software testing and code review remained sticking points but how those challenges are handled is strikingly different. Amazingly 75% of respondents report their DevOps teams are either using or planning to use ML/AI for testing and code review, up 41% from 2020's survey. This broad adoption of cutting edge technologies represents a larger shift in the industry towards integrating automation into their software development lifecycle. A majority (55%) of operations teams report their life cycles were either completely or mostly automated. For contrast, in 2020, just 8% of teams claimed full automation.
By integrating automation into their development cycles, DevOps teams’ members gain valuable time back to address other priorities. Operations teams, for example, have reshifted priorities to address the new software industry landscape shaped by the events of 2020. Fifty-six percent of operations professionals now report their first priority is managing cloud services (an increase from last year), no doubt a reflection of the mass migration to the cloud sparked by the pandemic. Additionally, operations teams report spending more time on compliance than they did in 2020, correlating to new compliance laws introduced last year like the California Privacy Rights Act (CPRA). Without adopting new technology to streamline development cycles, operation teams may likely have had a harder time reprioritizing to meet the new demands.
Releases are Faster Than Ever and Testing Remains a Sticking Point
Success in the software industry relies on release speed, and DevSecOps is the way to make it happen. This year, 84% of developers said they’re releasing code faster than ever before. This increase in release speed is due to the addition of tools like source code management and Continuous Integration and Continuous Delivery (CI/CD). Nearly 12% of respondents said adding a DevOps platform has sped up the process. Overall, 57% of respondents reported code is released twice as fast – a big increase from last year’s 35% – and 19% said code gets released 10 times faster.
Even with faster release times, security testing remains a sticking point for DevOps members. Over 42% of respondents felt it’s happening too late in the process, and nearly the same percentage said it was a struggle to unpack, process, and fix vulnerabilities. Almost 37% said tracking the status of the bug fixes was challenging, and 33% found remediation prioritization difficult. Like last year, these results indicate a reactive approach to security in the development process. It also indicates the importance of integrating DevSecOps in development cycles, because issues raised in testing that create bottlenecks could be caught and addressed earlier in development.
DevSecOps Matures but Security Ownership Remains a Pain Point
Continuing a trend the 2020 DevSecOps report indicated, developer roles continue to shift left, taking on more responsibility for what were traditionally operations- and security-related tasks. In 2021, more than 70% of security professionals report their teams have moved security considerations earlier into the development, or “shifted left” — an increase from last year’s 65%. Research indicates this broad increase in shifting left is due in part to an increase in developers conducting static and dynamic application security testing. Fifty-three percent of developers reported running static application security testing (SAST) scans (a 13% increase from last year) and 44% of developers reported running dynamic application security testing (DAST) scans (a 17% increase from last year).
Overall, this indicates a major step towards putting the “Sec” in DevSecOps — and the industry is seeing the benefits too. In fact, the report shows how far DevSecOps has come in the last year, with an unprecedented 72% of security professionals reporting their organizations’ security efforts were either “good” or “strong.” That’s a significant improvement from last year, when only 59% said the same thing. The largest year over year increase was in the “strong” category – last year only 19.95% of respondents considered their security posture in that light compared to nearly 33% in 2021.
While teams are showing signs of moving towards DevSecOps, research indicates organizations still struggle with determining who is in charge of security. Almost 31% reported they (security) were fully responsible for it, but almost 28% said everyone was responsible. This response is similar to last year’s, and underscores the need for clarity on this subject.
“While the industry has continued integrating security into development, and organizations are beginning to improve security overall, our research shows that a more clear delineation of responsibilities and adoption of new tools is required to completely shift security left,” said Johnathan Hunt, vice president of security at GitLab. “In the future, we hope to see security teams find more ways to lay out clear expectations for the other members of their organization, and continue to adopt innovative technologies for scanning and code reviews to improve speed and quality of development cycles.”