Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

End of Bibblio RCM includes -->

More Companies Adopting DevOps & Agile for Security

Measures of programming speed, security, and automation have all significantly increased in the past year, GitLab's latest survey finds.

DevOps and agile programming continue to make inroads into software-development teams, with the two development methodologies accounting for more than two-thirds (68%) of the practices at companies polled in a recent survey, according to a report published by development-tools maker GitLab on Tuesday.

The adoption coincides with developers taking an increasing role in securing software — so-called "shifting left" — with 39% of developers "feeling fully response for security," up from 28% last year, while 32% share responsibility for security with other teams, according to survey results. Overall, the security outlook among developers has increased significantly over the past year, with 72% calling their organization's security either "good" or "strong," up from 59% the prior year.

Related Content:

As DevOps Accelerates, Security's Role Changes

Special Report: Assessing Cybersecurity Risk in Today's Enterprises

New From The Edge: Name That Edge Toon: Magical May

This year, more than any other year, integrating security into DevOps — often called DevSecOps, SecDevOps, or secure DevOps — is a reality, says Johnathan Hunt, vice president of security at GitLab.

"Last year, often no one knew who owned security, and the adoption of DevSecOps was stagnant — you could see that," he says. "Now, we are feeling better about security as an organization, and our perception of security is improving."

The survey focuses on DevOps and DevSecOps rather than on other software development methodologies, such as agile programming, scrum, kanban, or waterfall. The majority of DevOps implementations included continuous integration and continuous deployment (CI/CD), followed by the integration of security (DevSecOps), and test automation. 

While GitLab did not ask specifically about the impact of the pandemic, the last year had a significant impact on the software development community. Because programmers are ideal candidates for remote work, the vast majority of them worked remotely, which focused the teams on software development methodologies that supported a distributed workforce. 

"2020 was a catalyst for DevOps maturation,” Eric Johnson, CTO at GitLab, said in a statement. “Teams worldwide worked to streamline development cycles and deliver faster release time than ever before, all while adjusting to remote work and shifting priorities to meet the high demands of last year."

Nearly 4,300 respondents completed the survey in February and March 2021, with software- and DevOps-related disciplines — such as software developers and DevOps engineers — accounting for respondents' top four roles and more than two-thirds of survey takers overall.

While the increasing role of security in development is promising, there are still tensions between the two disciplines, says Hunt. The majority of DevOps developers claim that the frequency of software deployment doubled, with 28% deploying multiple times a day, 15% once a week, and 10% deploying every month.

"Even though we have seen a large increase in security ownership, that problem is not solved. There is still moderate confusion over ownership of the secure development life cycle," Hunt says.

The most significant challenge continues to be testing, including security testing, with more than 40% of the developers believing that testing happens too late in the development pipeline, according to the survey.

Testing continues to cause delays, despite the fact that nearly a quarter of respondents to the survey say their company has implemented full test automation. Another 25% of respondents, however, have no test automation or may only be thinking about automated testing. 

"There has always been this conflict on when do we test, when do we scan, when do we find these vulnerabilities, how does it slow down the development life cycle," Hunt says. "Now, developers want it sooner, and that is interesting, but they are also saying that it is too difficult to handle vulnerabilities."

Companies continue to quickly adopt artificial intelligence (AI) and machine learning (ML) to improve their development, with more than 41% adopting the technologies for testing. In 2020, only about 16% of respondents were testing using AI or ML tools. However, DevOps teams appear to be behind the curve, with just a bit more than 11% using AI and ML tools for development, up from 4% in 2020, but well behind the average.

A significant percentage of developers (30%) consider an understanding of the technologies to be critical to their future careers, ahead of soft skills, such as communication skills, which ranked No. 1. in 2020. 

"Technical skills remain an issue for DevOps teams, but that is a problem related to the rapid adoption of AI and ML," Hunt says. "As we are moving toward AI and ML, developers don't really know what to do with that technology."

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT's Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline ... View Full Bio

Comment  | 
Print  | 
More Insights
//Comments
Newest First  |  Oldest First  |  Threaded View
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Black Hat USA 2022 Attendee Report
Black Hat attendees are not sleeping well. Between concerns about attacks against cloud services, ransomware, and the growing risks to the global supply chain, these security pros have a lot to be worried about. Read our 2022 report to hear what they're concerned about now.
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-35942
PUBLISHED: 2022-08-12
Improper input validation on the `contains` LoopBack filter may allow for arbitrary SQL injection. When the extended filter property `contains` is permitted to be interpreted by the Postgres connector, it is possible to inject arbitrary SQL which may affect the confidentiality and integrity of data ...
CVE-2022-35949
PUBLISHED: 2022-08-12
undici is an HTTP/1.1 client, written from scratch for Node.js.`undici` is vulnerable to SSRF (Server-side Request Forgery) when an application takes in **user input** into the `path/pathname` option of `undici.request`. If a user specifies a URL such as `http://127.0.0.1` or `//127.0.0.1` ```js con...
CVE-2022-35953
PUBLISHED: 2022-08-12
BookWyrm is a social network for tracking your reading, talking about books, writing reviews, and discovering what to read next. Some links in BookWyrm may be vulnerable to tabnabbing, a form of phishing that gives attackers an opportunity to redirect a user to a malicious site. The issue was patche...
CVE-2022-35956
PUBLISHED: 2022-08-12
This Rails gem adds two methods to the ActiveRecord::Base class that allow you to update many records on a single database hit, using a case sql statement for it. Before version 0.1.3 `update_by_case` gem used custom sql strings, and it was not sanitized, making it vulnerable to sql injection. Upgra...
CVE-2022-35943
PUBLISHED: 2022-08-12
Shield is an authentication and authorization framework for CodeIgniter 4. This vulnerability may allow [SameSite Attackers](https://canitakeyoursubdomain.name/) to bypass the [CodeIgniter4 CSRF protection](https://codeigniter4.github.io/userguide/libraries/security.html) mechanism with CodeIgniter ...