5,558 IT Professionals Reveal Patterns of Elite DevSecOps Practices


2019 DevSecOps Community Survey shows mature programs are 700% more likely to automate security, as adversaries accelerate pace

SAN FRANCISCO - RSA Conference – March 4, 2019 Sonatype, the inventors of software supply chain automation, today published findings from its 6th annual DevSecOps Community Survey of 5,558 IT professionals, making it the largest DevSecOps survey ever conducted. The survey, developed in partnership with CloudBees, Carnegie Mellon’s Software Engineering Institute, Signal Sciences, 9th Bit, and Twistlock, unveiled a new portrait of what organizations with elite DevSecOps programs look like in the face of accelerating attacks from bad actors.

As DevOps practices are maturing rapidly, elite organizations are automating security earlier in the development lifecycle and managing software supply chains as a critical differentiator to their competitors. The survey results revealed that organizations with elite DevSecOps programs are outperforming other enterprises by extreme margins.

SON_Survey2019_v9 27

Those factors include:

  • DevOps Automation - Elite DevSecOps practices are 700% more likely to have fully integrated and automated security practices across the DevOps pipeline. They also have increased feedback loops that enable security issues to be identified directly from tools.

  • Open Source Controls - 62% of respondents with elite programs have an open source governance policy in place where automation improves adherence to it, compared to just 25% of those without DevOps practices.

  • Container Controls - 51% of respondents with elite practices say they leverage automated security products to identify vulnerabilities in containers, while only 16% of those without said the same thing.

  • Training  - Organizations with elite DevSecOps practices are 3x more likely to provide application security training to developers than those organizations without DevOps practices.

  • Preparedness - 81% of those with elite practices have a cybersecurity response plan in place compared to 62% of those without DevOps practices.

“Forty seven percent (47%) of the organizations we surveyed are deploying to production multiple times a week, while the velocity of their security practices are also increasing,” said Derek Weeks, VP and DevOps Advocate at Sonatype. "The DevSecOps community has shown us that elite organizations are performing significantly less manual work, seamlessly blending security into their developers’ world, and are better prepared for remediating security incidents as they arise, when compared to their counterparts without DevOps practices.”

Other key findings from the largest DevSecOps survey ever include:

  • 24% of all respondents suspected or verified a breach related to open source components -- representing a 71% increase since Heartbleed made headlines 5 years ago.

  • 50% of elite programs produce a complete software bill of materials that’s updated regularly, while only 19% of those without DevOps practices keep this.  

  • Developers continue to believe security is important, but are unable to make it a priority.  This is the third year in a row where 48% of respondents admitted that developers feel they don’t have the time to spend on this.

  • 50% of respondents using cloud infrastructure noted they simply rely on the service provider to secure their cloud.

  • 46% of organizations without a DevOps practices do not have application level credentials encrypted, while 75% of elite DevSecOps practices do.

Additional Resources:

  • Download the 2019 survey

  • Read Sonatype’s latest blogs on the survey results

  • Register for a survey results webinar with Sonatype and CloudBees on March 28, 2019

  • Checkout out what CloudBees thinks about the report results

Supporting quotes:

"Every organization with a DevOps framework should evolve towards a DevSecOps mindset," said Shawn Ahmed, vice president of product marketing, CloudBees. "The objective is to treat security as a core component throughout the software delivery pipeline as opposed to thinking of it as an afterthought. As security threats continue to evolve it's easy to see the value of evolving towards DevSecOps."

“Key DevOps principles including: continuous learning via collaboration, automation (CI/CD), infrastructure as code, and monitoring, help ensure effective and timely responses to any breach”, said Hasan Yasar, technical manager and adjunct faculty member for Carnegie Mellon’s Software Engineering Institute. “We must all recognize security is a living thing and organizations should be prepared to prevent and respond to breaches at any moment within their application lifecycle. It is difficult to imagine proper cybersecurity hygiene and sufficient preparations for a breach without DevSecOps in place.”

"A key point in the DevSecOps community survey showed that no matter how much you have optimized your team for DevOps or sped up your software delivery cycle, there is still a significant gap between what security wants and how everyone else is able to understand that," said James Wickett, head of research at Signal Sciences. "This is a foundational communication gap which leaves many developers with the conclusion: security is a mystery. It's also a gap that needs to be closed. Developers need security prioritization at speed. They should be able to know if they are under attack or not."

About the Survey

The 2019 DevSecOps Community Survey provides visibility into the attitudes of software professionals toward DevOps best practices and the changing role of application security. The results reported here came in response to 41 questions asked by Sonatype and our DevOps community advocates including CloudBees, Signal Sciences, Twistlock, and Carnegie Mellon’s Software Engineering Institute. The survey’s margin of error is ± 1.226 percentage points for 5,558 IT professionals at the 95% confidence level.

About Sonatype

More than 10 million software developers rely on Sonatype to innovate faster while mitigating security risks inherent in open source.  Sonatype’s Nexus platform combines in-depth component intelligence with real-time remediation guidance to automate and scale open source governance across every stage of the modern DevOps pipeline.  Sonatype is privately held with investments from TPG, Goldman Sachs, Accel Partners, and Hummer Winblad Venture Partners. Learn more at www.sonatype.com.