Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

More Companies Adopting DevOps & Agile for Security

Measures of programming speed, security, and automation have all significantly increased in the past year, GitLab's latest survey finds.

DevOps and agile programming continue to make inroads into software-development teams, with the two development methodologies accounting for more than two-thirds (68%) of the practices at companies polled in a recent survey, according to a report published by development-tools maker GitLab on Tuesday.

The adoption coincides with developers taking an increasing role in securing software — so-called "shifting left" — with 39% of developers "feeling fully response for security," up from 28% last year, while 32% share responsibility for security with other teams, according to survey results. Overall, the security outlook among developers has increased significantly over the past year, with 72% calling their organization's security either "good" or "strong," up from 59% the prior year.

Related Content:

As DevOps Accelerates, Security's Role Changes

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Name That Edge Toon: Magical May

This year, more than any other year, integrating security into DevOps — often called DevSecOps, SecDevOps, or secure DevOps — is a reality, says Johnathan Hunt, vice president of security at GitLab.

"Last year, often no one knew who owned security, and the adoption of DevSecOps was stagnant — you could see that," he says. "Now, we are feeling better about security as an organization, and our perception of security is improving."

The survey focuses on DevOps and DevSecOps rather than on other software development methodologies, such as agile programming, scrum, kanban, or waterfall. The majority of DevOps implementations included continuous integration and continuous deployment (CI/CD), followed by the integration of security (DevSecOps), and test automation. 

While GitLab did not ask specifically about the impact of the pandemic, the last year had a significant impact on the software development community. Because programmers are ideal candidates for remote work, the vast majority of them worked remotely, which focused the teams on software development methodologies that supported a distributed workforce. 

"2020 was a catalyst for DevOps maturation,” Eric Johnson, CTO at GitLab, said in a statement. “Teams worldwide worked to streamline development cycles and deliver faster release time than ever before, all while adjusting to remote work and shifting priorities to meet the high demands of last year."

Nearly 4,300 respondents completed the survey in February and March 2021, with software- and DevOps-related disciplines — such as software developers and DevOps engineers — accounting for respondents' top four roles and more than two-thirds of survey takers overall.

While the increasing role of security in development is promising, there are still tensions between the two disciplines, says Hunt. The majority of DevOps developers claim that the frequency of software deployment doubled, with 28% deploying multiple times a day, 15% once a week, and 10% deploying every month.

"Even though we have seen a large increase in security ownership, that problem is not solved. There is still moderate confusion over ownership of the secure development life cycle," Hunt says.

The most significant challenge continues to be testing, including security testing, with more than 40% of the developers believing that testing happens too late in the development pipeline, according to the survey.

Testing continues to cause delays, despite the fact that nearly a quarter of respondents to the survey say their company has implemented full test automation. Another 25% of respondents, however, have no test automation or may only be thinking about automated testing. 

"There has always been this conflict on when do we test, when do we scan, when do we find these vulnerabilities, how does it slow down the development life cycle," Hunt says. "Now, developers want it sooner, and that is interesting, but they are also saying that it is too difficult to handle vulnerabilities."

Companies continue to quickly adopt artificial intelligence (AI) and machine learning (ML) to improve their development, with more than 41% adopting the technologies for testing. In 2020, only about 16% of respondents were testing using AI or ML tools. However, DevOps teams appear to be behind the curve, with just a bit more than 11% using AI and ML tools for development, up from 4% in 2020, but well behind the average.

A significant percentage of developers (30%) consider an understanding of the technologies to be critical to their future careers, ahead of soft skills, such as communication skills, which ranked No. 1. in 2020. 

"Technical skills remain an issue for DevOps teams, but that is a problem related to the rapid adoption of AI and ML," Hunt says. "As we are moving toward AI and ML, developers don't really know what to do with that technology."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
FluBot Malware's Rapid Spread May Soon Hit US Phones
Kelly Sheridan, Staff Editor, Dark Reading,  4/28/2021
Slideshows
7 Modern-Day Cybersecurity Realities
Steve Zurier, Contributing Writer,  4/30/2021
Commentary
How to Secure Employees' Home Wi-Fi Networks
Bert Kashyap, CEO and Co-Founder at SecureW2,  4/28/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-35519
PUBLISHED: 2021-05-06
An out-of-bounds (OOB) memory access flaw was found in x25_bind in net/x25/af_x25.c in the Linux kernel version v5.12-rc5. A bounds check failure allows a local attacker with a user account on the system to gain access to out-of-bounds memory, leading to a system crash or a leak of internal kernel i...
CVE-2021-20204
PUBLISHED: 2021-05-06
A heap memory corruption problem (use after free) can be triggered in libgetdata v0.10.0 when processing maliciously crafted dirfile databases. This degrades the confidentiality, integrity and availability of third-party software that uses libgetdata as a library. This vulnerability may lead to arbi...
CVE-2021-30473
PUBLISHED: 2021-05-06
aom_image.c in libaom in AOMedia before 2021-04-07 frees memory that is not located on the heap.
CVE-2021-32030
PUBLISHED: 2021-05-06
The administrator application on ASUS GT-AC2900 devices before 3.0.0.4.386.42643 allows authentication bypass when processing remote input from an unauthenticated user, leading to unauthorized access to the administrator interface. This relates to handle_request in router/httpd/httpd.c and auth_chec...
CVE-2021-22209
PUBLISHED: 2021-05-06
An issue has been discovered in GitLab CE/EE affecting all versions starting from 13.8. GitLab was not properly validating authorisation tokens which resulted in GraphQL mutation being executed.