Poll: For DevOps Professionals, It’s “Security, Security, Security”
The GitLab 2022 Global DevSecOps survey is out, finding that security concerns are no longer siled and silenced as part of the drive to release software faster.
GitLab, provider of an eponymous DevOps platform, illustrated this point with three points from the survey:
- The number one reason to implement a DevOps platform? Security. (And 75% of DevOps teams currently use a DevOps platform or plan to do so this year.)
- The number one benefit of a DevOps platform? Security.
- The number one investment priority for 2022? Security.
In fact, when developers were asked about the most difficult aspects of their jobs, over 1,000 respondents said, “Security, security, security.”
The company said these results in its sixth annual survey represent a dramatic shift from previous years.
“The attention to security in DevOps teams doesn’t stop there,” GitLab said in an Aug. 23 blog post about the investigation. “As our surveys have shown since 2020, DevOps roles continue to evolve, and this year many of those changes were security-focused:”
- 53% of developers told us they were “fully responsible” for their organization’s security, an increase of 14 points from 2021.
- More than a third of security professionals report being “hands-on” and involved in development and operations on a daily basis, an 11% increase from last year (and a massive cultural shift from groups that aren’t always known to get along).
- Nearly 50% of operations professionals say they are fully responsible for their organization’s security, up 20% from last year.
Additionally, when the survey asked developers about the hardest parts of their jobs, thousands of respondents mentioned security and security-related issues, with GitLab reporting three developers’ answers summed it up:
- “Cybersecurity attacks are the biggest concerns we face today.”
- “Data security, data security, I repeat, data security.”
- “Trying to create secure and stable applications.”
The survey polled more than 5,000 DevOps professionals in May and found that developing secure software is now an imperative for DevOps teams around the world.
While noting that development and operations professionals are taking a greater share of security ownership in this year’s report, GitLab noticed a shift in responses from security professionals from previous years to this year when they were asked how responsible they feel for application security in their organizations. .
“In 2020 and 2021, the percentage of security professionals who said they were fully responsible for security was about the same as those who said everyone was responsible,” the report said. “This year, the situation has changed dramatically: 43% of security team members admitted to being fully responsible for security (a 12% jump from last year), but an overwhelming majority (53% ) said everyone was responsible, a 25% increase from 2021.”
Other security-related data points from the report presented by GitLab include:
- For the second year in a row, a large majority of security professionals (71%) rated their organization’s security efforts as “good” or “excellent”. This was almost identical to last year’s assessment and certainly reflects the growing attention to safety we saw throughout the survey.
- As we have seen from the last year, security roles are changing. Nearly 29% of security professionals said they are now part of a cross-functional team (same as 2021 results), while 28% are now more focused on compliance and 35% are more involved in tasks daily / more practical, a jump of 11 points compared to last year. About 48% of respondents said their roles are not changing, but 10% said they have more budget and 7% have more influence over engineering decisions.
- Last year, 60% of respondents said their organization had nothing in place to secure cloud native and serverless, but this year 53% of teams have it onboarded.
- When it comes to what will help them most in their future career, a majority of security professionals (54%) said AI/ML, followed by communication and collaboration (33%) and programming advanced (32%). Since our 2020 survey, security professionals have been consistent on the critical importance of soft skills, but interest in AI/ML jumped 33% between 2021 and 2022.
- Microservices and containers continue to gain traction in DevOps teams, but the security processes to monitor them continue to lag behind. Only 65% of security professionals said they have a security plan for microservices and only 64% said they have one for containers. However, the security outlook is a bit brighter when it comes to cloud-native and serverless. Last year, 60% of respondents said their organization had nothing in place to secure cloud native and serverless, but this year 53% of teams have it onboarded.
The report also presents data on other aspects of DevSecOps beyond security, as evidenced by these data points:
- 47% of teams have full test automation, nearly double the number in 2021.
- 70% of teams release code continuously, once a day or every few days, up 11% from last year.
- Nearly three-quarters of DevOps teams use a DevOps platform or plan to do so this year.
- DevOps roles continue to evolve: developers take on operational tasks, operations focus on cloud or platform engineering, and security professionals are “hands on” within development teams.
- 31% of teams are using AI/ML for code review, up 16 points from last year.
- 60% of developers release code faster than before.
- 69% of respondents want to consolidate their (sometimes sprawling) toolchains due to monitoring issues, development delays and disgruntled developers.
- 70% of teams deploy multiple times a day, daily or every few days, up 11% from 2021.
- 54% of operations professionals manage hardware infrastructure all or most of the time.
- 52% of operations professionals manage cloud services all or most of the time.
- 32% of operations professionals “sometimes” manage hardware infrastructure.
- 31% of operations professionals “sometimes” manage cloud services.
While noting that the survey provided data on challenges such as pandemic-related culture shifts, difficulties in hiring and retention, and the level of effort required to integrate complex new technologies like artificial intelligence, GitLab has brought the essentials back to security.
“If there was an overriding concern, it was the very real threat posed by security breaches. As security continues to ‘shift to the left’ in many teams, it is also, perhaps for the first time, a driving force for many decision makers when it comes to choosing a DevOps platform or other technologies. The threat of security breaches is also a top concern for many DevOps teams.”
David Ramel is an editor and writer for Converge360.