We asked 350 enterprise IT professionals about real-world practices in application security, DevOps, and CI/CD. See highlights in our DevSecOps infographic.

Learn more about DevSecOps
To learn more about the opportunities presented by DevSecOps and how it operates in the real world, we asked 350 enterprise IT professionals about best and actual practices in application security and CI/CD. Source: DevSecOps Realities and Opportunities, 451 Research, April 2018.
What pre-implementation application security measures do enterprises have in place?
Who is responsible for application security testing (AST) in CI/CD processes today?
- 71% IT operations
- 61% Security teams
- 49% Developers
No single person or team can or should be responsible for security in CI/CD releases.
How do enterprises implement AST tools in their CI/CD processes?
- 61% Software composition analysis (SCA) and CVE scanning
- 59% Dynamic application security testing (DAST)
- 57% Penetration testing
- 51% Static application security testing (SAST)
- 31% Fuzz testing
Who are the other stakeholders involved in IT management and DevOps initiatives?
- 66% Security
- 66% Technology center of excellence
- 64% Database administrators and data analytics teams
- 46% Lines-of-business managers
When should AST be integrated into CI/CD workflows?
- 67% When developers commit code
- 44% On the fly while coding
But that’s not what’s happening currently.
- 50% When developers commit code
- 38% On the fly while coding
Why is DevSecOps and injecting security into CI/CD processes so important?
- 75% Software quality
- 68% Compliance and regulatory requirements
- 64% Avoiding risk
- 38% Speeding the release process
The code changes pushed in Ci/CD workflows are not insignificant.
- 67% Regular, significant changes
- 17% Large, complex changes
- 16% Small, simple changes
Enterprise software releases are getting faster all the time.
- 49% Days
- 22% Weeks
- 22% Hours
- 5% Minutes
- 2% Seconds
Enterprises are looking for serious improvements in time to deploy from their CI/CD implementations.
- 36% Sought a 4x improvement
- 15% Sought a 5x improvement
- 12% Sought more than a 5x improvement
71% of enterprises measure their releases in days or weeks, while 29% measure their releases in hours, minutes, or seconds.
At the speed of code deployment today, enterprises must build security in automatically at every step of the software development life cycle to execute on their goals of building secure, high-quality software.