As the world witnessed record breaches in 2017, leading IT teams were integrating and automating more security practices throughout the software development life cycle (SDLC) to better fortify applications and protect their data.
It has now been seven months since Equifax publicly disclosed a major breach in their systems due to a hack that targeted vulnerable open source components. Many consider breach an anomaly of poor cyber hygiene, but our survey results tell a different story. Equifax was not alone.
New research published today, reveals breaches pinned to open source software components are up 55% year over year. Sonatype's 2018 DevSecOps Community Survey reported that breaches were recorded across 31% of enterprises, represented by the 2,076 IT professionals who participated in this year's survey.
One might wonder if the persistence of Equifax news headlines influenced the year over year increase. While we have no way to prove this theory, we can compare the 2018 results to our 2014 survey responses for a better perspective. Since Sonatype's 2014 survey, open source software breaches have increased 121%. Interestingly, the 2014 survey was conducted during April, when the notorious Heartbleed vulnerability was announced and was top of mind for many respondents.
The 2018 DevSecOps Community Survey also delivered positive news. Year over year results indicate a steady 15% increase in automated security being integrated throughout the software development life cycle for mature DevOps practices. Compared to organizations with no DevOps practices, those with mature DevOps practices were 338% more likely to have integrated security across the SDLC.
At a time when security breach announcements are persistent, it is encouraging to see strong investments made across the DevOps community to reduce the risk of unlawful entry and data theft by hackers.
Increased investments were not the only encouraging signs from the survey data. When asked to rate their cybersecurity readiness, respondents from mature DevOps practices rated themselves 85% higher than those with no DevOps practices. With greater investments in automated application security being made throughout the development life cycle, "secure by design" practices had boosted the confidence of developers and DevOps teams.
Over the past several years, our survey has reflected the growth in enterprise DevSecOps initiatives that have successfully incorporated automated security practices, strengthened their cybersecurity posture, and readied themselves for government regulations on the horizon. This survey demonstrates that DevSecOps practices continue to mature rapidly, and that security is difficult to ignore.
While some results of our survey may surprise you, I hope they also encourage you to begin new conversations with your peers and across our industry. Sharing these results can help us further mature DevSecOps practices everywhere and establish new benchmarks for speed, quality, and security.
Please take a moment to download the survey and review the results. Then ask, how does your organization match up?