What’s with the security / DevOps disconnect?

We asked 350 enterprise IT professionals about real-world practices in application security, DevOps, and CI/CD. See highlights in our DevSecOps infographic.

Learn more about DevSecOps

To learn more about the opportunities presented by DevSecOps and how it operates in the real world, we asked 350 enterprise IT professionals about best and actual practices in application security and CI/CD. Source: DevSecOps Realities and Opportunities, 451 Research, April 2018.

What pre-implementation application security measures do enterprises have in place?

• 74% Security control design analysis
• 61% Application risk assessment
• 59% Threat modeling
• 58% Architectural risk analysis

Who is responsible for application security testing (AST) in CI/CD processes today?

• 71% IT operations
• 61% Security teams
• 49% Developers

No single person or team can or should be responsible for security in CI/CD releases.

How do enterprises implement AST tools in their CI/CD processes?

• 61% Software composition analysis (SCA) and CVE scanning
• 59% Dynamic application security testing (DAST)
• 57% Penetration testing
• 51% Static application security testing (SAST)
• 31% Fuzz testing

Who are the other stakeholders involved in IT management and DevOps initiatives?

• 66% Security
• 66% Technology center of excellence
• 64% Database administrators and data analytics teams
• 46% Lines-of-business managers

When should AST be integrated into CI/CD workflows?

• 67% When developers commit code
• 44% On the fly while coding

But that’s not what’s happening currently.

• 50% When developers commit code
• 38% On the fly while coding

Why is DevSecOps and injecting security into CI/CD processes so important?

• 75% Software quality
• 68% Compliance and regulatory requirements
• 64% Avoiding risk
• 38% Speeding the release process

The code changes pushed in Ci/CD workflows are not insignificant.

• 67% Regular, significant changes
• 17% Large, complex changes
• 16% Small, simple changes

Enterprise software releases are getting faster all the time.

• 49% Days
• 22% Weeks
• 22% Hours
• 5% Minutes
• 2% Seconds

Enterprises are looking for serious improvements in time to deploy from their CI/CD implementations.

• 36% Sought a 4x improvement
• 15% Sought a 5x improvement
• 12% Sought more than a 5x improvement

71% of enterprises measure their releases in days or weeks, while 29% measure their releases in hours, minutes, or seconds.

At the speed of code deployment today, enterprises must build security in automatically at every step of the software development life cycle to execute on their goals of building secure, high-quality software.