Highly mature DevOps organizations that are able to integrate security functions into all stages of development are providing their developers with more self-service tooling and, consequently, they're fixing vulnerabilities faster as a result. So says the "2020 State of DevOps Report," which shows security maturity has slowly but surely improved across DevOps organizations this year.
The report is based on one of the longest running and comprehensive annual surveys of DevOps practitioners, this year querying 2,400 professionals from a range of development, IT, and information security roles within their organizations. A big theme this year is the role that self-service tools plays in DevOps success — not just for security, but also to enable engineering teams with self-service functions to provision systems, manage configurations, track performance, and tap into software component libraries.
The report shows the highest maturity organizations take an internal platform approach to deliver these self-service capabilities, often managed by a platform team who scales platforms to support the work of a mesh of different development teams and applications projects across an organization.
"Broadly speaking, the platform team provides the infrastructure, environments, deployment pipelines, and other internal services that enable internal customers — usually application development teams — to build, deploy and run their applications," the report explains.
The survey shows 63% of organizations today use internal platforms, with about 71% of those using between two to five different internal platforms. Approximately four in 10 organizations say 50% or more of their developers now use internal platforms.
The ability for organizations to fold self-service security functionality into these internal platforms tends to be highly correlated to the degree to which security integration has been achieved across the software delivery life cycle. The survey asked respondents to pick which of the five phases of the life cycle where security is integrated: requirements, design, building, testing, and deployment. It found the ratio of organizations with two or more phases integrated has gone up from 63% last year to 70% this year. The ratio of organizations with complete integration now stands at 12%.
As the report explains, the self-service offering of security and compliance validation is intertwined with the push for greater integration. Meanwhile, among those with three to four phases of development integrated with security, 42% offer self-service security and compliance validation. And 58% those that have achieved full security integration across all five phases say they provide self-service security. Companies that have fully integrated security are more than twice as likely to offer self-service security as firms with no security integration.
"Integrating security at every stage of the software delivery life cycle is more than just shifting security checks to the left," the report explains. "Security integration requires a completely different approach, one that emphasizes cross‑team collaboration and empowers delivery teams to autonomously prevent, discover and remediate security issues."
Greater integration and use of self-service security seem to contribute highly to positive application security results. Only 25% of organizations with no security integration and low levels of self-service security capabilities say they can remediate critical security vulnerabilities in under a day. On the other side of the spectrum, 45% of organizations with full security integration and high incidence of self-service security offerings say they can fix critical flaws within a day.