The patterns of elite DevSecOps practices

As DevOps practices are maturing rapidly, organizations with elite DevSecOps programs are automating security earlier in the development lifecycle and managing software supply chains as a critical differentiator to their competitors.

elite DevSecOps practices

The 6th annual DevSecOps Community Survey of 5,558 IT professionals conducted by Sonatype in partnership with CloudBees, Carnegie Mellon’s Software Engineering Institute, Signal Sciences, 9th Bit, and Twistlock, revealed that organizations with elite DevSecOps programs are outperforming other enterprises by extreme margins.

Those factors include:

  • DevOps automation – Elite DevSecOps practices are 350% more likely to have fully integrated and automated security practices across the DevOps pipeline. They also have increased feedback loops that enable security issues to be identified directly from tools.
  • Open source controls – 62% of respondents with elite programs have an open source governance policy in place where automation improves adhere to it, compared to just 25% of those without DevOps practices.
  • Container controls – 51% of respondents with elite practices say they leverage automated security products to identify vulnerabilities in containers, while only 16% of those without said the same thing.
  • Training – Organizations with elite DevSecOps practices are 3x more likely to provide application security training to developers than those organizations without DevOps practices.
  • Preparedness – 81% of those with elite practices have a cybersecurity response plan in place compared to 62% of those without DevOps practices.

“Forty seven percent (47%) of the organizations we surveyed are deploying to production multiple times a week, while the velocity of their security practices are also increasing”, said Derek Weeks, VP and DevOps Advocate at Sonatype.

“The DevSecOps community has shown us that elite organizations are performing significantly less manual work, seamlessly blending security into their developer’s world, and are better prepared for remediating security incidents as they arise, when compared to their counterparts without DevOps practices.”

elite DevSecOps practices

Other key findings from the survey:

  • 24% of all respondents suspected or verified a breach related to open source components — representing a 71% increase since Heartbleed made headlines 5 years ago.
  • 50% of elite programs produce a complete software bill of materials that’s updated regularly, while only 19% of those without DevOps practices keep this.
  • Developers continue to believe security is important, but are unable to make it a priority. This is the third year in a row where 48% of respondents admitted that developers feel they don’t have the time to spend on this.
  • Lack of preparedness for many is a top down issue, with 41% of executive level respondents admitting that their company does not follow an open source governance policy.
  • 50% of respondents using cloud infrastructure, noted they simply rely on the service provider to secure their cloud.
  • 28% of respondents admitted they do not protect secrets like passwords, API keys, and certificates.
  • 35% of all respondents said their number one challenge in application security is that they find out about the problem too late in the process.
  • 46% of organizations without a DevOps practices do not have application level credentials encrypted, while 75% of elite DevSecOps practices do.

“Key DevOps principles including: continuous learning via collaboration, automation (CI/CD), infrastructure as code, and monitoring, help ensure effective and timely responses to any breach”, said Hasan Yasar, Technical Manager and Adjunct Faculty Member for Carnegie Mellon’s Software Engineering Institute.

“We must all recognize security is a living thing and organizations should be prepared to prevent and respond to breaches at any moment within their application lifecycle. It is difficult to imagine proper cybersecurity hygiene and sufficient preparations for a breach without DevSecOps in place.”