Key Attributes of Elite DevSecOps Programs

Sonatype DevSecOps session at DevOps World Jenkins World 2019Editor’s note: This blog post was written by guest contributor, Derek Weeks, vice president of Sonatype

If you really want to know how organizations are approaching DevSecOps, you need to talk with a lot of people. That’s just what we’ve done for the past six years. In fact, we’ve surveyed over 15,000 people about their DevSecOps practices since 2014.

We’ve learned a lot, identified trends and shared plenty of insight into what the leading and lagging organizations doing. The survey demonstrates the security effectiveness of teams with varying levels of DevSecOps maturity. Specifically, the survey looked at how tools such as automation, training, planning and development practices such as deployment intervals all play a role in security.

To better articulate what elite DevSecOps shops are doing, we identified key attributes that those with mature programs are practicing. Here are five to get you started:

  1. Embrace automation. Elite DevSecOps practices are 350% more likely to have fully integrated and automated security practices across the DevOps pipeline.
  2. Favor container security, web application firewalls and software component analysis. 91% of elite DevOps practices emphasize security at the container/application level, 85% prioritize additional resources at the web application firewall level, and 84% emphasize governance of open source components used in development.
  3. Utilize more third-party tools to augment cloud service security. Elite DevSecOps practices are almost twice as likely to augment the security features delivered by their cloud providers with third-party cloud security tools, as compared to non-DevOps projects.
  4. Get faster feedback. Automation within developer tooling allows elite teams to address infosec and app security issues faster. 63% of elite practices are notified through their tools.
  5. Follow open source governance policies. Elite teams are 62% more likely to follow established policies compared to 25% of teams without DevOps practices follow policy.

As we continue to see the number of successful breaches of applications rising, elite DevOps organizations are making investments to better protect themselves. They’re investing in more training, incident response plans, integrated application security practices and organizational silo-busting. To learn what other attributes and practices leading DevSecOps teams demonstrate, come join my upcoming session at DevOps World | Jenkins World in San Francisco, August 12-15.  During the session, I’ll highlight 10 additional DevSecOps practices.

There’s still time to register for DevOps World | Jenkins World 2019, if you haven’t already.

See you there.