Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

More Companies Adopting DevOps & Agile for Security

Measures of programming speed, security, and automation have all significantly increased in the past year, GitLab's latest survey finds.

DevOps and agile programming continue to make inroads into software-development teams, with the two development methodologies accounting for more than two-thirds (68%) of the practices at companies polled in a recent survey, according to a report published by development-tools maker GitLab on Tuesday.

The adoption coincides with developers taking an increasing role in securing software — so-called "shifting left" — with 39% of developers "feeling fully response for security," up from 28% last year, while 32% share responsibility for security with other teams, according to survey results. Overall, the security outlook among developers has increased significantly over the past year, with 72% calling their organization's security either "good" or "strong," up from 59% the prior year.

Related Content:

As DevOps Accelerates, Security's Role Changes

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Name That Edge Toon: Magical May

This year, more than any other year, integrating security into DevOps — often called DevSecOps, SecDevOps, or secure DevOps — is a reality, says Johnathan Hunt, vice president of security at GitLab.

"Last year, often no one knew who owned security, and the adoption of DevSecOps was stagnant — you could see that," he says. "Now, we are feeling better about security as an organization, and our perception of security is improving."

The survey focuses on DevOps and DevSecOps rather than on other software development methodologies, such as agile programming, scrum, kanban, or waterfall. The majority of DevOps implementations included continuous integration and continuous deployment (CI/CD), followed by the integration of security (DevSecOps), and test automation. 

While GitLab did not ask specifically about the impact of the pandemic, the last year had a significant impact on the software development community. Because programmers are ideal candidates for remote work, the vast majority of them worked remotely, which focused the teams on software development methodologies that supported a distributed workforce. 

"2020 was a catalyst for DevOps maturation,” Eric Johnson, CTO at GitLab, said in a statement. “Teams worldwide worked to streamline development cycles and deliver faster release time than ever before, all while adjusting to remote work and shifting priorities to meet the high demands of last year."

Nearly 4,300 respondents completed the survey in February and March 2021, with software- and DevOps-related disciplines — such as software developers and DevOps engineers — accounting for respondents' top four roles and more than two-thirds of survey takers overall.

While the increasing role of security in development is promising, there are still tensions between the two disciplines, says Hunt. The majority of DevOps developers claim that the frequency of software deployment doubled, with 28% deploying multiple times a day, 15% once a week, and 10% deploying every month.

"Even though we have seen a large increase in security ownership, that problem is not solved. There is still moderate confusion over ownership of the secure development life cycle," Hunt says.

The most significant challenge continues to be testing, including security testing, with more than 40% of the developers believing that testing happens too late in the development pipeline, according to the survey.

Testing continues to cause delays, despite the fact that nearly a quarter of respondents to the survey say their company has implemented full test automation. Another 25% of respondents, however, have no test automation or may only be thinking about automated testing. 

"There has always been this conflict on when do we test, when do we scan, when do we find these vulnerabilities, how does it slow down the development life cycle," Hunt says. "Now, developers want it sooner, and that is interesting, but they are also saying that it is too difficult to handle vulnerabilities."

Companies continue to quickly adopt artificial intelligence (AI) and machine learning (ML) to improve their development, with more than 41% adopting the technologies for testing. In 2020, only about 16% of respondents were testing using AI or ML tools. However, DevOps teams appear to be behind the curve, with just a bit more than 11% using AI and ML tools for development, up from 4% in 2020, but well behind the average.

A significant percentage of developers (30%) consider an understanding of the technologies to be critical to their future careers, ahead of soft skills, such as communication skills, which ranked No. 1. in 2020. 

"Technical skills remain an issue for DevOps teams, but that is a problem related to the rapid adoption of AI and ML," Hunt says. "As we are moving toward AI and ML, developers don't really know what to do with that technology."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
News
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Commentary
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23872
PUBLISHED: 2021-05-12
Privilege Escalation vulnerability in the File Lock component of McAfee Total Protection (MTP) prior to 16.0.32 allows a local user to gain elevated privileges by manipulating a symbolic link in the IOTL interface.
CVE-2021-23891
PUBLISHED: 2021-05-12
Privilege Escalation vulnerability in McAfee Total Protection (MTP) prior to 16.0.32 allows a local user to gain elevated privileges by impersonating a client token which could lead to the bypassing of MTP self-defense.
CVE-2021-23892
PUBLISHED: 2021-05-12
By exploiting a time of check to time of use (TOCTOU) race condition during the Endpoint Security for Linux Threat Prevention and Firewall (ENSL TP/FW) installation process, a local user can perform a privilege escalation attack to obtain administrator privileges for the purpose of executing arbitra...
CVE-2020-36289
PUBLISHED: 2021-05-12
Affected versions of Atlassian Jira Server and Data Center allow an unauthenticated user to enumerate users via an Information Disclosure vulnerability in the QueryComponentRendererValue!Default.jspa endpoint. The affected versions are before version 8.5.13, from version 8.6.0 before 8.13.5, and fro...
CVE-2021-32606
PUBLISHED: 2021-05-11
In the Linux kernel 5.11 through 5.12.2, isotp_setsockopt in net/can/isotp.c allows privilege escalation to root by leveraging a use-after-free. (This does not affect earlier versions that lack CAN ISOTP SF_BROADCAST support.)