Devs know application security is important, but have no time for it

Sonatype polled 2,076 IT professionals to discover practitioner perspectives on evolving DevSecOps practices, shifting investments, and changing perceptions, and the results of the survey showed that breaches related to open source components grew at a staggering 50% since 2017, and 121% since 2014.

DevSecOps investment

This follows on from Sonatype’s findings earlier in the year, which showed that 1 in 8 open source components downloaded by developers in the UK contained a known security vulnerability.

Yet despite this, resourcing and training still presents challenges: 48% of respondents admitted that they don’t have enough time to spend on application security, while 35% of developers from companies with no DevOps practices received no training on application security in the past year.

DevSecOps investment is crucial

The results also revealed that developers outnumber security professionals by 100:1, highlighting the urgent need for automated application security testing to mitigate risks and improve business productivity.

The findings demonstrated that more organisations are waking up to this approach, with mature DevOps practices showed a 15% year over year growth in applying security practices throughout the development lifecycle.


The survey found that those companies with mature DevOps practices are 24% more likely to have deployed automated security practices throughout their development lifecycle. Investments in open source governance, container security, and web application firewalls were noted as the most critical to companies pursuing DevSecOps transformations.

Other key findings from the survey include:

  • 77% of mature DevOps organisations have open source policies in place, with a 76% adherence rate. Conversely, only 58% of respondents without mature DevOps practices had a policy with a 54% adherence rate – revealing that DevSecOps automation is difficult to ignore.
  • 59% of mature DevOps companies are building more security automation into their development process as attention toward GDPR compliance grows.
  • 88% of those with mature DevOps practices are investing in application security training, while 35% with immature practices said they had no access to security training. This finding points to stronger cybersecurity readiness postures of those investing in DevOps.
  • 63% of respondents with mature DevOps practices say they leverage security products to identify vulnerabilities in containers, as these components become more ubiquitous in modern IT landscapes.
  • 48% of respondents admitted that developers know application security is important, but they don’t have the time to spend on it, shedding light on the growth in automated security investments.

“It seems that DevOps with a security mindset is not enough. Full-blown DevSecOps – in which security is a foundational principle of software delivery and considered from the word ‘go’ – is needed,” says Benjamin Wootton, Co-founder and CTO of Contino.

“It’s not only about automating development, deployment and security; it’s also about changing the way all parts of an organization – technical and otherwise – are involved in the software development life cycle. If you think about it, you see that in big organizations DevSecOps is really DevSecOpsAndEverybodyElse,” adds Oleg Gryb, a chief security architect in the financial services industry.

RSA Conference 2018

Don't miss