theDocumentId => 1340909 More Companies Adopting DevOps & Agile for Security

Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

More Companies Adopting DevOps & Agile for Security

Measures of programming speed, security, and automation have all significantly increased in the past year, GitLab's latest survey finds.

DevOps and agile programming continue to make inroads into software-development teams, with the two development methodologies accounting for more than two-thirds (68%) of the practices at companies polled in a recent survey, according to a report published by development-tools maker GitLab on Tuesday.

The adoption coincides with developers taking an increasing role in securing software — so-called "shifting left" — with 39% of developers "feeling fully response for security," up from 28% last year, while 32% share responsibility for security with other teams, according to survey results. Overall, the security outlook among developers has increased significantly over the past year, with 72% calling their organization's security either "good" or "strong," up from 59% the prior year.

Related Content:

As DevOps Accelerates, Security's Role Changes

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Name That Edge Toon: Magical May

This year, more than any other year, integrating security into DevOps — often called DevSecOps, SecDevOps, or secure DevOps — is a reality, says Johnathan Hunt, vice president of security at GitLab.

"Last year, often no one knew who owned security, and the adoption of DevSecOps was stagnant — you could see that," he says. "Now, we are feeling better about security as an organization, and our perception of security is improving."

The survey focuses on DevOps and DevSecOps rather than on other software development methodologies, such as agile programming, scrum, kanban, or waterfall. The majority of DevOps implementations included continuous integration and continuous deployment (CI/CD), followed by the integration of security (DevSecOps), and test automation. 

While GitLab did not ask specifically about the impact of the pandemic, the last year had a significant impact on the software development community. Because programmers are ideal candidates for remote work, the vast majority of them worked remotely, which focused the teams on software development methodologies that supported a distributed workforce. 

"2020 was a catalyst for DevOps maturation,” Eric Johnson, CTO at GitLab, said in a statement. “Teams worldwide worked to streamline development cycles and deliver faster release time than ever before, all while adjusting to remote work and shifting priorities to meet the high demands of last year."

Nearly 4,300 respondents completed the survey in February and March 2021, with software- and DevOps-related disciplines — such as software developers and DevOps engineers — accounting for respondents' top four roles and more than two-thirds of survey takers overall.

While the increasing role of security in development is promising, there are still tensions between the two disciplines, says Hunt. The majority of DevOps developers claim that the frequency of software deployment doubled, with 28% deploying multiple times a day, 15% once a week, and 10% deploying every month.

"Even though we have seen a large increase in security ownership, that problem is not solved. There is still moderate confusion over ownership of the secure development life cycle," Hunt says.

The most significant challenge continues to be testing, including security testing, with more than 40% of the developers believing that testing happens too late in the development pipeline, according to the survey.

Testing continues to cause delays, despite the fact that nearly a quarter of respondents to the survey say their company has implemented full test automation. Another 25% of respondents, however, have no test automation or may only be thinking about automated testing. 

"There has always been this conflict on when do we test, when do we scan, when do we find these vulnerabilities, how does it slow down the development life cycle," Hunt says. "Now, developers want it sooner, and that is interesting, but they are also saying that it is too difficult to handle vulnerabilities."

Companies continue to quickly adopt artificial intelligence (AI) and machine learning (ML) to improve their development, with more than 41% adopting the technologies for testing. In 2020, only about 16% of respondents were testing using AI or ML tools. However, DevOps teams appear to be behind the curve, with just a bit more than 11% using AI and ML tools for development, up from 4% in 2020, but well behind the average.

A significant percentage of developers (30%) consider an understanding of the technologies to be critical to their future careers, ahead of soft skills, such as communication skills, which ranked No. 1. in 2020. 

"Technical skills remain an issue for DevOps teams, but that is a problem related to the rapid adoption of AI and ML," Hunt says. "As we are moving toward AI and ML, developers don't really know what to do with that technology."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The State of Cybersecurity Incident Response
In this report learn how enterprises are building their incident response teams and processes, how they research potential compromises, how they respond to new breaches, and what tools and processes they use to remediate problems and improve their cyber defenses for the future.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-3159
PUBLISHED: 2021-07-23
A stored cross site scripting (XSS) vulnerability in the /sys/attachment/uploaderServlet component of Landray EKP V12.0.9.R.20160325 allows attackers to execute arbitrary web scripts or HTML via a crafted SVG, SHTML, or MHT file.
CVE-2021-25203
PUBLISHED: 2021-07-23
Arbitrary file upload vulnerability in Victor CMS v 1.0 allows attackers to execute arbitrary code via the file upload to \CMSsite-master\admin\includes\admin_add_post.php.
CVE-2021-25204
PUBLISHED: 2021-07-23
Cross-site scripting (XSS) vulnerability in SourceCodester E-Commerce Website v 1.0 allows remote attackers to inject arbitrary web script or HTM via the subject field to feedback_process.php.
CVE-2021-25206
PUBLISHED: 2021-07-23
Arbitrary file upload vulnerability in SourceCodester Responsive Ordering System v 1.0 allows attackers to execute arbitrary code via the file upload to Product_model.php.
CVE-2021-25208
PUBLISHED: 2021-07-23
Arbitrary file upload vulnerability in SourceCodester Travel Management System v 1.0 allows attackers to execute arbitrary code via the file upload to updatepackage.php.