ESG research: leveraging observability data for DevSecOps
There’s a call throughout the industry to shift security left in the software development lifecycle, expanding the DevOps methodologies that have been growing in adoption for more than a decade. DevSecOps is based on the idea that security is not an afterthought. Rather, it is a collaborative process that must be integrated from the start of the development process. To make this collaboration possible, every team—from security to development to operations—needs tools and a common language to communicate and succeed together.
At Mezmo, some of our most successful customers are adopting DevSecOps methodologies to ship and maintain more resilient and secure products. For them, using observability data as a single source of truth has been crucial to the success of these initiatives. So, we partnered with Enterprise Strategy Group (ESG) to understand how other enterprise companies feel about DevSecOps and how they can leverage their observability data to move the needle forward. Check out the highlights of their findings below and download the full report here.
As organizations adopt modern software development processes in the cloud, they are looking to incorporate security processes and controls into their software development lifecycle (SDLC).
Though only 22% of organizations said they have developed a DevSecOps strategy, 62% of organizations have a plan or are evaluating use cases for it, showing significant future growth. Across the board, 82% of respondents say accelerating the mean time to resolve security alerts and incidents is a top priority for their security team. Of those who are already leveraging DevSecOps, an overwhelming 95% report a positive impact on accelerating incident detection and 96% on response efforts.
DevSecOps challenges today
Developer efficiency is all about shortening feedback loops so that developers can get the information they need to take action. It’s essential that they get accurate, timely information at every stage of the SDLC so that they can write high quality code and address issues once that code is in production.
As organizations increase the speed and volume of releases to serve more customers, they are collecting huge volumes of data. Almost one-third of organizations surveyed capture hundreds of terabytes of application data per month. But, it’s costly to collect this much data just for the sake of collecting it. In fact, 69% of respondents admit that they don’t capture certain data sources because of the high cost of storage and retention. This is problematic if there is an incident and the organization has incomplete data for a thorough analysis and timely response, not to mention potential compliance issues.
For those who have adopted DevSecOps, data capture and analysis are at the top of the list of challenges related to implementing it.
Observability and DevSecOps
“DevSecOps has been a challenge because traditional security methods are too disruptive to processes; organizations need solutions that work within developer workflows and tools along with their cloud-native tech stack,” said Melinda Marks, Senior Analyst at ESG. “Leveraging observability data can help drive efficiency by utilizing data to provide insight for better security processes, policies, and faster incident response.”
The study shows that 91% of organizations are using more than one tool to get the most value out of their data, which makes it difficult for multiple teams to have access to the data they need to do their jobs. Not having a “single source of truth” is reported as the greatest challenge holding teams back.
Eighty-seven percent of respondents said that they are using open source tools as part or all of their observability stack today because they are more customizable. But, 84% believe it will become challenging to manage, adopt, and scale with these solutions. Nearly all survey respondents (98%), with titles across teams, from application developers to IT and security professionals, said they will likely investigate a managed observability solution over the next 12 months. This reflects what we’re hearing in the market and from leaders like Gartner, who recently showed observability on the decline from the “height of inflated expectations” in their Hype Cycle for Monitoring, Observability and Cloud Operations, 2022. It’s clear that the observability solutions that enterprises have used for the last decade aren’t providing what they need as they adopt modern ways of working, like DevSecOps.
For more insight about DevSecOps and the role observability plays in successful adoption, download the report or reach out to an expert at Mezmo to find out how to modernize your observability practice at firstname.lastname@example.org.