A survey of more than 500 DevOps practitioners finds less than half (47%) of respondents work for organizations that regularly employ best DevSecOps practices.
Conducted by Techstrong Research, an arm of the TechStrong Group, which is also the parent organization of DevOps.com, the survey additionally finds 54% of respondents regularly practice code scanning for vulnerabilities during development, while 40% conduct security testing.
A full 59% of respondents said they are also making further investments in application security, with 19% describing their investment level as high. At the same time, 64% of respondents are investing in a code scanning tool, with 24% describing those investments as high. A total of 62% are investing in application programming interfaces (API) security, with 23% of respondents describing those investments as being high.
Additionally, among the 61% of respondents that are embracing platform engineering as a methodology for managing DevOps workflows at scale, 48% cited improving security as a primary motivation.
Mitch Ashley, principal analyst for Techstrong Research, said rather than simply trying to shift responsibility for application security further left toward developers, the survey makes it clear more organizations are now applying best DevSecOps practices across the entire software development lifecycle (SDLC).
In fact, the survey finds that DevOps has already had either a high (34%) or medium (43%) impact on improving software security for more than three quarters (77%) of respondents. The challenge is there is still much work to do, given that fact that more than half of respondents have not yet fully embraced DevSecOps workflows, even following a series of high-profile breaches specifically involving applications.
In addition, cybercriminals are clearly now targeting software supply chains using stolen developer credentials to inject malware in the hopes it will find its way into multiple downstream applications. The only way to discover those types of threats is to scan not only code as it is developed, but also where it is stored, and ultimately incorporated into the build that gets deployed into a production environment.
The challenge, as always, is determining how to ensure best practices are followed without unduly slowing down the rate at which applications are being built and deployed. Application developers typically resent tools and platforms that generate too many false-positive alerts that wind up being a distraction that inhibits their ability to focus.
Developers usually don’t allocate much time to creating patches for applications, so the more tools can identify relevant issues as developers are actually writing code, the more likely it becomes developers will embrace DevSecOps practices. That’s crucial at a time when more developers are starting to rely more on AI to write code that might not be secure. The general-purpose large language models (LLMs) that these AI tools are based on have been trained using code of varying quality that has been aggregated from across the Web. As a result, it’s not uncommon for these tools to generate vulnerable code.
Longer term, however, LLMs that have been trained using code that has been vetted for vulnerabilities should generate code that is more secure than what many human developers are able to currently produce. In the short term, however, application security, thanks to generative AI, might get worse before it gets better.
One way or another, the number of organizations embracing DevSecOps practices will only increase as requirements and regulations become more stringent. The only issue left to determine is how to best orchestrate those workflows across increasingly complex development lifecycles.
For more information, download a copy of the DevOps Report here.
