What’s with the security / DevOps disconnect?
We asked 350 enterprise IT professionals about real-world practices in application security, DevOps, and CI/CD. See highlights in our DevSecOps infographic.
To learn more about the opportunities presented by DevSecOps and how it operates in the real world, we asked 350 enterprise IT professionals about best and actual practices in application security and CI/CD. Source: DevSecOps Realities and Opportunities, 451 Research, April 2018.
What pre-implementation application security measures do enterprises have in place?
- 74% Security control design analysis
- 61% Application risk assessment
- 59% Threat modeling
- 58% Architectural risk analysis
Who is responsible for application security testing (AST) in CI/CD processes today?
- 71% IT operations
- 61% Security teams
- 49% Developers
No single person or team can or should be responsible for security in CI/CD releases.
How do enterprises implement AST tools in their CI/CD processes?
- 61% Software composition analysis (SCA) and CVE scanning
- 59% Dynamic application security testing (DAST)
- 57% Penetration testing
- 51% Static application security testing (SAST)
- 31% Fuzz testing
Who are the other stakeholders involved in IT management and DevOps initiatives?
- 66% Security
- 66% Technology center of excellence
- 64% Database administrators and data analytics teams
- 46% Lines-of-business managers
When should AST be integrated into CI/CD workflows?
- 67% When developers commit code
- 44% On the fly while coding
But that’s not what’s happening currently.
- 50% When developers commit code
- 38% On the fly while coding
Why is DevSecOps and injecting security into CI/CD processes so important?
- 75% Software quality
- 68% Compliance and regulatory requirements
- 64% Avoiding risk
- 38% Speeding the release process
The code changes pushed in Ci/CD workflows are not insignificant.
- 67% Regular, significant changes
- 17% Large, complex changes
- 16% Small, simple changes
Enterprise software releases are getting faster all the time.
- 49% Days
- 22% Weeks
- 22% Hours
- 5% Minutes
- 2% Seconds
Enterprises are looking for serious improvements in time to deploy from their CI/CD implementations.
- 36% Sought a 4x improvement
- 15% Sought a 5x improvement
- 12% Sought more than a 5x improvement
71% of enterprises measure their releases in days or weeks, while 29% measure their releases in hours, minutes, or seconds.
At the speed of code deployment today, enterprises must build security in automatically at every step of the software development life cycle to execute on their goals of building secure, high-quality software.
More from Security news and research
- Agile, CI/CD, and DevOps
- API security testing
- Application security best practices
- Application security orchestration and correlation
- Application security program strategy and planning
- Application security threat and risk assessment
- Automotive cyber security
- Cloud cyber security
- Container security
- Cybersecurity Research Center
- DevSecOps
- Dynamic application security testing
- Financial cyber security
- Fuzz testing
- Healthcare cyber security
- Interactive application security testing
- Internet of Things cyber security
- M&A and OSS license compliance
- Medical devices cyber security
- Mergers and acquisitions due diligence
- Mobile application security
- Open source license compliance
- Penetration testing
- Public sector cyber security
- Security and developer training
- Software compliance, quality, and standards
- Software composition analysis
- Software Integrity Group’s products and services
- Static application security testing
- Telecommunications and network cyber security
- Threat modeling
- Web application security