The SANS report: The dynamics of DevSecOps

Survey demographics

The foundation of the report's significance lies in its survey demographics. With 363 respondents spanning a diverse array of roles, industries, and organizational sizes, the report provides a panoramic view of the DevSecOps landscape. It notes a shift toward security, with 34% of respondents directly engaged in security functions. The prominence of security administrators and analysts (10.2%) underscores how important security is to the DevSecOps paradigm.

A noteworthy revelation is the substantial representation of development roles. A full 21% of respondents hold roles as application developers, cloud architects, software engineers, and DevOps engineers. As DevSecOps shifts security left into development, the survey highlights the need for integration between these domains.

Perhaps the most compelling insight is that 13% of respondents hold business management roles, signaling that DevSecOps now has mainstream recognition as not merely a technical concern but a crucial business strategy. This shift demonstrates how DevSecOps is becoming a holistic organizational imperative.

Navigating DevSecOps challenges

The SANS report findings on the challenges of DevSecOps adoption show that acquiring funding for new security and testing tools is still a roadblock for many organizations. This underlines the necessity of aligning financial resources with the imperative of fortifying DevSecOps practices.

Success factors identified by respondents emphasize how security communication can build bonds across organizations. The cultivation of "security champions" through professional development activities stands out as an effective strategy for promoting security awareness and cooperation across teams.

A new trend in this year’s report is the number of respondents (16%) exploring artificial intelligence (AI) and data science for enhancing DevSecOps. This trend mirrors the broader industry trajectory, as organizations increasingly leverage AI to automate and augment their security measures.

Building a robust DevSecOps program

The most recent SANS report outlines several critical focus areas for building a thriving DevSecOps program.

• Early security consideration: A successful DevSecOps initiative begins by building in security concerns at the outset of development. By conducting risk assessments and threat modeling before writing code, organizations can pre-empt vulnerabilities and security gaps.
• Automated security tests: Automating security tests to enforce security practices ensures consistent and efficient security validation throughout the development life cycle.
• Holistic security understanding: To create a fortified software ecosystem, organizations must possess a comprehensive understanding of the security status of all resources integral to their applications. This includes infrastructure, third-party software, and software developed in-house.
• End-to-end automation: The report underscores the need for end-to-end automation of the build, test, and deploy processes. This not only expedites responses to security threats and vulnerabilities but also enables automatic remediation, minimizing the window of exposure.

While this brief summary gives you a high-level overview, the SANS report on DevSecOps is worth a deeper dive to understand the challenges, successes, and trends shaping DevSecOps right now. The report equips organizations with the knowledge to fortify their security postures while fostering seamless development and operational practices. The resounding message is clear: DevSecOps is not just a technical endeavor but a strategic imperative that bridges the realms of security, development, and operations, ushering organizations into a new era of software excellence.

How Black Duck can help

Black Duck offers an industry-leading portfolio of application security testing (AST) solutions to empower your organization's consolidation efforts. Black Duck offers the "big three" testing protocols—static application security testing (SAST), dynamic application security testing (DAST), and source code analysis (SCA)—and a host of other tests as well, including interactive application security testing (IAST), fuzzing, and mobile penetration software. Black Duck AST solutions are open platform and include over 135 integrations, so you can make more efficient use of the tools you already own. Black Duck offers completely flexible security testing solutions that deliver results for your on-premises, software as a service (SaaS), or headless API environment. Regardless of whether you're using Black Duck solutions or third-party, open source, or manual testing solutions, they all integrate into Software Risk Manager, our application security posture management (ASPM) solution. At any stage in the SDLC, Black Duck has strategic solutions at the best value to map your program to consolidation success.