Mezmo on Tuesday released research that found while only 22% of organizations say they have developed a DevSecOps strategy, 62% of organizations have a plan or are evaluating use cases for it, showing significant future growth.
Better still, of those who are already leveraging DevSecOps, an overwhelming 95% report a positive impact on accelerating incident detection, and 96% on response efforts.
“DevSecOps has been a challenge because traditional security methods are too disruptive to processes," said Melinda Marks, a senior analyst at the Enterprise Strategy Group who conducted the research. “Organizations need solutions that work within developer workflows and tools along with their cloud-native tech stack. Leveraging observability data can help drive efficiency by utilizing data to provide insight for better security processes, policies, and faster incident response.”
The study also showed that 91% of organizations are using more than one tool to get the most value out of their data, which makes it difficult for multiple teams to have access to the data they need to do their jobs. Not having a “single source of truth” was reported as the greatest challenge holding teams back.
DevSecOps requires many changes across organizations to get the benefits, said Peter Chestna, CISO at Checkmarx. Chestna said most turn back or stumble before breaking through and realizing the positive impact DevSecOps can have.
“The report points to collecting and reporting the right KPIs as a key step to success,” Chestna said. “Once we have the facts, we must have a learning culture that’s empowered and measured on continuous improvement. For DevSecOps particularly, mutual accountability for application security between Sec and Dev are essential. Making problems ours to solve decreases the time-to-action and results. Cresting the challenge may not be easy, but the results from the effort are amazing."
Hank Schless, senior manager, security solutions at Lookout, added that integrating security into DevOps workflows has become an important part of the software development lifecycle for organizations that leverage CI/CD tools. Schless said because there’s a continuous cycle of integration and delivery, developers are held to high expectations for delivering updates and improvements to their products.
“Customers and users expect to have the latest and greatest available to them, and if it’s not they’ll move on to a different SaaS product,” Schless said. “This expectation has led to the unfortunate fact that pushing new updates to meet deadlines sometimes overrides security testing. To ensure secure development processes, development teams and security teams need to collaborate and adopt a DevSecOps approach to delivering their services.”