DevSecOps, a methodology that integrates security practices into the DevOps workflow, has emerged as a critical approach to ensure the security and efficiency of software development processes. The recent SANS survey report offers a fascinating glimpse into the state of DevSecOps, and presents a comprehensive analysis of survey demographics, key findings, and critical focus areas.
The foundation of the report's significance lies in its survey demographics. With 363 respondents spanning a diverse array of roles, industries, and organizational sizes, the report provides a panoramic view of the DevSecOps landscape. It notes a shift toward security, with 34% of respondents directly engaged in security functions. The prominence of security administrators and analysts (10.2%) underscores how important security is to the DevSecOps paradigm.
A noteworthy revelation is the substantial representation of development roles. A full 21% of respondents hold roles as application developers, cloud architects, software engineers, and DevOps engineers. As DevSecOps shifts security left into development, the survey highlights the need for integration between these domains.
Perhaps the most compelling insight is that 13% of respondents hold business management roles, signaling that DevSecOps now has mainstream recognition as not merely a technical concern but a crucial business strategy. This shift demonstrates how DevSecOps is becoming a holistic organizational imperative.
The SANS report findings on the challenges of DevSecOps adoption show that acquiring funding for new security and testing tools is still a roadblock for many organizations. This underlines the necessity of aligning financial resources with the imperative of fortifying DevSecOps practices.
Success factors identified by respondents emphasize how security communication can build bonds across organizations. The cultivation of "security champions" through professional development activities stands out as an effective strategy for promoting security awareness and cooperation across teams.
A new trend in this year’s report is the number of respondents (16%) exploring artificial intelligence (AI) and data science for enhancing DevSecOps. This trend mirrors the broader industry trajectory, as organizations increasingly leverage AI to automate and augment their security measures.
The most recent SANS report outlines several critical focus areas for building a thriving DevSecOps program.
While this brief summary gives you a high-level overview, the SANS report on DevSecOps is worth a deeper dive to understand the challenges, successes, and trends shaping DevSecOps right now. The report equips organizations with the knowledge to fortify their security postures while fostering seamless development and operational practices. The resounding message is clear: DevSecOps is not just a technical endeavor but a strategic imperative that bridges the realms of security, development, and operations, ushering organizations into a new era of software excellence.
Black Duck offers an industry-leading portfolio of application security testing (AST) solutions to empower your organization's consolidation efforts. Black Duck offers the "big three" testing protocols—static application security testing (SAST), dynamic application security testing (DAST), and source code analysis (SCA)—and a host of other tests as well, including interactive application security testing (IAST), fuzzing, and mobile penetration software. Black Duck AST solutions are open platform and include over 135 integrations, so you can make more efficient use of the tools you already own. Black Duck offers completely flexible security testing solutions that deliver results for your on-premises, software as a service (SaaS), or headless API environment. Regardless of whether you're using Black Duck solutions or third-party, open source, or manual testing solutions, they all integrate into Software Risk Manager, our application security posture management (ASPM) solution. At any stage in the SDLC, Black Duck has strategic solutions at the best value to map your program to consolidation success.
- This blog post was reviewed by Steven Zimmerman.
Learn how the Polaris platform can help you scale your DevSecOps program