Resources Blog 2018 DevSecOps Community Survey: Automation Races Against ...

2018 DevSecOps Community Survey: Automation Races Against Breaches

As the world witnessed record breaches in 2017, leading IT teams were integrating and automating more security practices throughout the software development lifecycle to better fortify applications and protect their data.

Equifax was not alone

It has now been seven months since Equifax publicly disclosed a major breach in their systems stemming from a hack that targeted vulnerable open source components.  Many consider that breach an anomaly of poor cyber hygiene, but our survey results tell a different story.  Equifax was not alone. 

New research published today, reveals that breaches pinned to open source software components are up 55% year over year.  Sonatype’s 2018 DevSecOps Community Survey reported that breaches were recorded across 31% of enterprises represented by the 2,076 IT professionals who participated in this year’s survey.

Screen Shot 2018-04-15 at 1.50.53 PM

One might wonder if the persistence of Equifax news headlines influenced the year over year increase.  While we have no way to prove this theory, we can compare the 2018 results to our 2014 survey responses for a better perspective.  Since Sonatype’s 2014 survey, open source software related breaches increased 121%.  Interestingly, the 2014 survey was conducted during the month of April when the notorious Heartbleed vulnerability had been announced and was top of mind for many respondents.

The race for automated security 

The 2018 DevSecOps Community Survey also delivered positive news.  Year over year results point to a steady 15% increase in automated security being integrated throughout the software development lifecycle for mature DevOps practices.  Compared to organizations with no DevOps practices, those with mature DevOps practices were 338% more likely to have integrated security across the development lifecycle. 

Screen Shot 2018-04-15 at 1.50.41 PM

At a time when security breach announcements are persistent, it is encouraging to see strong investments being made across the DevOps community to reduce the risk of unlawful entry and data theft by hackers. 

Increased investments were not the only encouraging signs from the survey data.  When asked to rate their cybersecurity readiness, respondents from mature DevOps practices rated themselves 85% higher than those with no DevOps practices.  With greater investments in automated application security being made throughout the development lifecycle, “secure by design” practices had boosted the confidence of the developers and DevOps teams.

Automation is difficult to ignore

Over the past several years, our survey has reflected the growth in enterprise DevSecOps initiatives that have successfully incorporated automated security practices, strengthened their cybersecurity posture, and readied themselves for government regulations on the horizon. This survey demonstrates that DevSecOps practices continue to mature rapidly and that, once automated, security is difficult to ignore.

While some results of our survey may surprise you, I hope they also encourage you to begin new conversations with your peers and across our industry. Sharing these results can help motivate all of us to further mature DevSecOps practices everywhere and to establish new benchmarks for speed, quality, and security.

Please take a moment to download the survey and review the results.  Then ask, how does your organization match up? 



Picture of Derek Weeks

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.