Few security pros believe their organizations have reached full DevSecOps maturity

20% of security professionals described their organizations’ DevSecOps practices as “mature”, while 62% said they are improving practices and 18% as “immature”, a WhiteSource report finds.

The survey gathered responses from over 560 developers and application security professionals in North America and Western Europe about the state of DevSecOps implementation in their organizations.

Reaching full DevSecOps maturity

• In order to meet short deployment cycles, 73% of security professionals and developers feel forced to compromise on security.
• AppSec tools are purchased to ‘check the box’, disregarding developers’ needs and processes, resulting in tools being purchased but not used. Developers don’t fully use the tools purchased by the security team. The more the mature an organization is in terms of its DevSecOps practices, the more AppSec tools they use.
• There is a significant “AppSec knowledge and skills gaps” challenge that is largely neglected by organizations. While 60% of security professionals say they have had an AppSec program in place for at least a year, only 37% of developers surveyed reported that they were not aware of an AppSec program running for longer than a year inside their organization.
• Security professionals’ top challenge is prioritization, but organizations lack the standardized processes to streamline vulnerability prioritization.

“Survey results show that while most security professionals and developers believe that their organizations are in the process of adopting DevSecOps, most organizations still have a way to go, especially when it comes to breaking down the silos separating development at security teams,” said Rami Sass, CEO, WhiteSource.

“Full DevSecOps maturity requires organizations to implement DevSecOps across the board. Processes, tools, and culture need to evolve in order to break down the traditional silos and ensure that all teams share ownership of both security and agility.”