The state of AppSec and the journey to DevSecOps

While the perceived benefits of DevSecOps to both security and DevOps are high, much progress must be made in defining a repeatable and consistent governance model for true DevSecOps to take hold, a ZeroNorth survey of 250 global security, DevOps and IT professionals reveals.

The study highlights how roles, responsibilities, and ownership of application security (AppSec) must be clearly defined as part of a DevSecOps governance model, something lacking in today’s environment. Specifically, the survey finds that while 76% of developers and engineers believe DevOps will own AppSec within three years, only 56% of AppSec professionals agree.

“We are at an inflection point where software security has become the foundation for enterprise security,” said John Worrall, CEO at ZeroNorth.

“The push toward true DevSecOps will strengthen security and improve the products that DevOps deliver. That said, our study shows progress needs to be made on many fronts – most notably DevSecOps governance, process, and culture – for companies to see this promise materialize.”

Security governance takes center stage

Key to the topic of governance is the notion of responsibility. While the question of “Will DevOps own AppSec?” remains up for grabs, the study demonstrates how a shared responsibility model for AppSec is likely to emerge. In fact, 90% of participants said it is, indeed, likely that responsibility will be shared across DevOps and security teams in the next three years.

While AppSec has historically centered on tooling, DevOps has been built with process and governance, enabled through automation and orchestration. As AppSec and DevOps come together into DevSecOps, discrepancies become clear. For example, while 58% of companies developing more than 31 applications annually say their continuous integration / continuous deployment (CI/CD) processes have been fully automated, only 17% of respondents say they have a fully automated development process that includes security.

Integrating AppSec tools into DevOps pipelines

• Automation and orchestration are enabling DevSecOps: 91% of respondents agree or strongly agree that integrating AppSec tools into DevOps pipelines through automation will be critical to the success of DevSecOps; 88% believe orchestration of tools within CI/CD pipelines will be required.
• Adjusting the security mindset: DevSecOps requires a culture change across security and DevOps – and 73% of participants agree security must rethink the way it partners with Development for DevSecOps to succeed.
• Enabling security in the journey to DevSecOps: The survey also demonstrates key things security must understand about DevOps, including the SDLC, tools and technical benefits. But there are actions Dev teams can take to support this journey. For example, 59% of respondents said Dev could promote DevOps best practices; 50% said Dev should include security in DevOps planning sessions, and 46% said Dev should assign a DevOps Champion to the security organization.