DevSecOps adoption is low but packing a punch in user organizations

By Esther Shein on TechRepublic

Only 22% of respondent organizations have developed a formal DevSecOps strategy integrating security into software development life cycle processes, a newly released report finds. But of those, an overwhelming percentage reported a positive impact on accelerating incident detection (95%) and response (96%) efforts, according to observability data platform provider Mezmo.

Although adoption is low for now, the study also confirms potential growth in the industry with 62% of respondents saying their organization is actively evaluating use cases or has plans to implement DevSecOps.

“DevSecOps has been a challenge because, with cloud-native development, developers can provision and deploy their own applications to the cloud without the help of other teams,’’ explained Melinda Marks, senior analyst at ESG, which conducted the survey on behalf of Mezmo. “It is difficult for security teams to incorporate security testing or processes into development because if it’s disruptive, developers may skip certain security processes if it seems to take too much time, or if it will generate too many alerts for them to fix.”

The other issue is that developers may be using testing tools to test and fix issues in their code, but security teams don’t have visibility into what they are doing, Marks added. The security products that many organizations have in place monitor the applications when they are running in the cloud for misconfigurations—but at that point, the issues are much harder to fix and are exposed to customers and hackers because the applications are live, according to Marks.

Of the 200 DevOps and IT/information security professional respondent organizations, the study found that more than half using DevSecOps tools and processes experienced a significant reduction in incidents that occur in production. The greatest impact reported was on accelerating incident detection efforts, and nearly half reported significant improvements in incident response and remediation times.

Factors limiting DevSecOps adoption and success

According to the research, there are distinct differences between the perceived and actual challenges of implementation. Companies believe that establishing a culture of collaboration and encouraging developers to leverage security best practices are nearly equal in importance to adopting DevSecOps tools, Mezmo said. While it is common to expect cultural transformation to be a roadblock prior to adoption, those practicing DevSecOps report that technical limitations, such as data capture and analysis, are actually greater barriers to success.

Eighty-four percent of respondents believe that getting the right data and tools to developers is key for enabling success. But, as organizations increase the speed and volume of releases to serve more customers, they are collecting huge volumes of data. Organizations surveyed capture several (54%) or even hundreds (32%) of terabytes per month, with 6% capturing a petabyte or more per month.

This amount of data is costly to collect and store and parsing through it for incident triage and response is time-consuming. In fact, 17.5 person-hours is the average time it takes to triage and understand security incidents—an amount that 82% of companies would like to reduce. Most organizations (69%) do not capture certain data sources because of the high cost of storage/retention, which is problematic if there is an incident and the organization has incomplete data for a thorough analysis and/or timely response.

How to make the most of data with observability

The study shows that 91% of organizations are using multiple tools to get the most value out of their data, which makes it difficult for multiple groups to have access to the data they need to do their jobs. Not having a “single source of truth” is reported as the greatest challenge holding back teams.

Modern software development is all about speed and efficiency, Marks said. “DevSecOps has been a challenge because traditional security methods are too disruptive to processes; organizations need solutions that work within developer workflows and tools along with their cloud-native tech stack.”

When observability data is utilized, it can help drive efficiency because it provides insight for better security processes, policies, and faster incident response, she said.

“To move fast and build secure applications, companies need solutions that help them to fully harness the value of their data to drive better results,” said Tucker Callaway, CEO of Mezmo, in a statement. “To achieve this, teams are looking for observability solutions that are flexible and scalable, with automation features to help improve data collection and analysis.”

Right now, most companies (87%) are using open source tools as part or all of their observability stack because they are more customizable. But 84% believe it will become challenging to manage, adopt and scale with these tools.

Nearly all survey respondents (98%), with titles ranging from application developers to IT and security professionals, said they will likely investigate a managed observability solution over the next 12 months, according to Mezmo.