New DevOps Research From Sonatype Reveals Changing Attitudes Toward Application Security in the Financial Services Sector


Top performing software development teams embrace DevSecOps automation.

Fulton, MD – April 25, 2017 – Sonatype, the leader in software supply chain automation, today announced the financial services results of its 2017 DevSecOps Community Survey. 412 financial services IT professionals participated in the online survey conducted in February 2017, out of a total of 2,292 survey respondents.

The survey revealed that mature development organizations ensure automated security is woven into their DevOps practice early, everywhere, and at scale. More than three-quarters (76%) of financial services organizations with more than 500 developers (large financial services organizations) describe their DevOps practices as being very mature or improving in maturing, compared to just 67% of all survey respondents and 66% of financial services respondents.

Analysis of responses also found that 21% of financial services organizations continue to struggle with breaches, which is consistent with overall respondents. Respondents from the financial services sector are likely to see security teams as a barrier. 49% of the development and operations teams in this vertical see security teams and policies slowing them down; this number increases to 55% among large financial services organizations.

Other key findings from the survey include:

Development plays an active, early role in application security

  • Developers are taking more responsibility for security with 26% of financial services respondents saying it’s a top concern (compared to 24% of overall respondents), while in mature DevOps organizations in this vertical that number rises to 32%.

For DevOps teams, security controls are increasingly automated throughout the development lifecycle

  • 81% of respondents from large financial services organizations have an open source governance policy in place (compared to 57% overall) revealing higher level of controls and a more watchful eye on security concerns.
  • 24% of all financial services respondents said that they automate application security analysis at all stages of the software development life cycle (SDLC), which was consistent with the overall survey responses (27%).

Automated security practices allow developers to keep pace with the speed and scale of innovation and financial services organizations are on the leading edge of this trend

  • 94% of respondents from large financial services organizations indicated that security was a top concern when deploying containers (compared to 88% of overall respondents and 91% of all financial services respondents). While only 74% of respondents from large financial services organizations leverage security solutions to address this problem, they are 33% more likely to use a security solution than the typical survey respondent.
  • Almost 57% of large financial services organizations keep a complete software bill of materials to help them track down new open source vulnerabilities faster (e.g., Commons-Collection, Struts2) compared to 35% of all respondents and 43% of all financial services respondents.

"As evidenced by this year’s survey results, organizations everywhere are now transforming their development from waterfall-native to DevOps-native tools and processes,” said Wayne Jackson, CEO, Sonatype. “Along the way, they are coming to grips with one simple fact: DevOps is not an excuse to do application security poorly; rather it is an opportunity to do application security better than ever.”

Additional Resources

About the Survey

The 2017 DevSecOps Community Survey provides visibility into the attitudes of software professionals toward DevOps best practices and the changing role of application security. A total of 2,292 IT professions responded to the survey across all industries. Of the 412 respondents from the financial sector, 168 came from organizations with more than 500 developers. The survey was conducted by Sonatype, Contino, DZone, Emerasoft, Ranger4, and Signal Sciences. The survey’s margin of error is ±2.02 percentage points for 2,292 IT professionals at the 95% confidence level.  

About Sonatype

Last year developers requested 31 billion components from the Central Repository to manufacture the software applications that run the world. Additionally, with more than 120,000 installations, companies around the globe use Sonatype’s Nexus solutions to manage reusable components and improve the quality, speed and security of their software supply chains. Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Hummer Winblad Venture Partners, Morgenthaler Ventures, Bay Partners and Goldman Sachs. For more information, visit:

Media Contact

Jennifer Edgerly
SpeakerBox Communications for Sonatype