However, 82.3% of respondents reported that they found secure coding training for developers useful, and ranked it higher than penetration testing, software composition analysis (SCA), automated static application security testing (SAST), threat modeling, container/image security scanning, dynamic application security testing (DAST), third-party compliance reviews or audits, interactive application security testing (IAST), fuzz testing, and bug bounties. Clearly, secure coding training is crucial, but coding is complicated and tight development timelines and extensive technology landscapes mean that even the most well-trained developers can overlook best practices when they are working at speed. This is where tools come in. Good tools, available right from the IDE, allow developers to incorporate secure coding practices at the speed businesses need to remain competitive.
It is a positive development that in the 2022 survey, more than half of respondents reported that they consider shared security ownership a key success factor to instituting DevSecOps. When asked about improving communications across development, operations, and security, 56% responded that this was a priority—up from 51% in 2021.
To truly move from a DevOps to a DevSecOps model though, automation is crucial. Even the most well-trained developers cannot produce secure code at the rate businesses demand without tooling help. So it’s encouraging that 55% of respondents (up from 43% in 2021) agree that automating build, test, deployment, and provisioning workflows is essential to this endeavor. Integrating automated security testing into developer tools and workflows also increased in importance to 53% from 45%.
Automation can also help organizations ensure secure coding. Although organizations can’t automate coding, they can automate testing at the point where developers are coding. Providing real-time alerts to developers enables them to identify and fix weaknesses in proprietary code or vulnerable open source components directly from the IDE, without requiring extraneous workflows.
Finally, 52% of respondents reported that securing developer buy-in is key to building a solid DevSecOps environment, up from 46% in 2021. The only element where we saw a downward trend was in training developers in secure coding, which fell to 48% from 52%.