‘Elite’ DevOps Practices Outperforming Less Mature Teams in DevOps Automation and Open Source Controls, According to 2019 DevSecOps Community Survey
SAN JOSE, CA. – March 4, 2019 – CloudBees, the enterprise DevOps leader powering the continuous economy, along with survey lead Sonatype, announced the results of the 6th annual DevSecOps Community Survey today. While DevOps practices are maturing rapidly, corporate application security initiatives are only gradually gaining traction, according to a survey released today by Sonatype, CloudBees, Carnegie Mellon’s Software Engineering Institute and several other partners. The 2019 DevSecOps Community Survey of 5,558 IT professionals also found that organizations with elite DevSecOps programs are outperforming others in terms of DevOps automation, open source controls, container controls, training and cybersecurity preparedness. The 6th annual DevSecOps Community Survey was led by Sonatype with CloudBees as a major sponsor.
The survey showed that 28 percent of all organizations have adopted “very mature” DevOps practices, company-wide or in pockets, up slightly from 25 percent in 2018. Another 49 percent reported their DevOps practices as “improving.” Overall, 95 percent of respondents say their organizations are using advanced development processes – agile, DevOps and/or continuous integration/continuous delivery (CI/CD) – with the remainder clinging to legacy waterfall development methods. Deployments are also getting more frequent – with 9 percent saying they deploy with every change and 65 percent deploying at least once per week.
“The clear increase in adoption of modern development practices of Agile, CD and DevOps signifies important progress in the software delivery space,” said Brian Dawson, DevOps evangelist, CloudBees. “These practices are the foundation for the wider adoption of DevSecOps practices and a security-first mindset. Software is intertwined in the very fabric of our business and personal lives, making it critical that we continuously secure software by automating key security practices into the development and delivery pipeline. There’s still a lot of work to do to get to DevSecOps but, as an industry, we are making progress.”
The survey showed mixed levels of progress on the security front. Overall, only 54 percent of respondents said their organizations have cybersecurity incident response plans in place – the same as 2018. More than a quarter (26 percent) have no protections for confidential information like passwords and API keys. And security tools are still not well integrated with the DevOps pipeline: 11 percent are fully integrated and automated, while 75 percent are not or are only partially integrated.
Breaches are still happening, but they’re becoming less frequent. Seventeen percent of respondents said their companies experienced a breach definitely or possibly tied to a web application vulnerability in the past year – down from one third a year ago.
Developers themselves seem to want to get more involved in application security (appsec) process. Based on the survey, 28 percent were fully focused on appsec, and another 46 percent want to be but are too busy. To get up to speed they’d need training – but 17 percent of survey takers said their companies have no app security training available.
Meanwhile, organizations that have developed “elite” practices are outperforming peers in several areas. For example, in DevOps automation, elite DevSecOps practices are six times more likely to have fully integrated and automated security practices across the DevOps pipeline than their less mature peers. In open source controls, 62 percent with elite programs have an open source governance policy in place, and follow it, compared to just a quarter of those without DevOps practices. For container controls, 51 percent of respondents with elite practices say they leverage security products to identify vulnerabilities in containers, while only 16 percent of those without said the same thing.
- Download the full survey results and analysis
- Attend the webinar, Exploring the 2019 DevSecOps Survey Results
- Read the Sonatype press release
- Read the Sonatype blog
CloudBees is powering the continuous economy by building the world’s first end-to-end system for automating software delivery, the CloudBees Suite. The CloudBees Suite builds on emerging DevOps practices and continuous integration (CI) and continuous delivery (CD) automation adding a layer of governance, visibility and insights necessary to achieve optimum efficiency and control new risks. Since every company in the world is now a software company, this new automated software delivery system is becoming the most mission-critical business system in the modern enterprise. As today’s clear leader in CI/CD, CloudBees is uniquely positioned to define and lead this new category. CloudBees puts companies on the fastest path to transforming great ideas into great software and returning value to the business more quickly.
Backed by Matrix Partners, Lightspeed Venture Partners, Verizon Ventures, Delta-v Capital, Golub Capital and Unusual Ventures, CloudBees was founded in 2010 by former JBoss CTO Sacha Labourey and an elite team of continuous integration, continuous delivery and DevOps professionals. Follow CloudBees on Twitter, Facebook and LinkedIn.
About the Survey
The 2019 DevSecOps Community Survey provides visibility into the attitudes of software professionals toward DevOps best practices and the changing role of application security. The results reported here came in response to 41 questions asked by Sonatype and our DevOps community advocates including CloudBees, Signal Sciences, Twistlock, and Carnegie Mellon’s Software Engineering Institute. The survey’s margin of error is ±1.226 percentage points for 5,558 IT professionals at the 95% confidence level.