Adding security into DevOps hasn’t been as easy as automating all the things. Sonatype’s survey shows the state of the industry—and what you might want to work on next.
Teams are deploying software from DevOps teams at an accelerated rate, according to Sonatype, providers of the Nexus platform for application security, which recently released the 2020 DevSecOps Community Survey. The survey also showed that teams with mature DevOps support were happier in their jobs.
SEE: Cybersecurity: Let’s get tactical (free PDF) (TechRepublic)
The report had broad representation, of more than 5,000 subjects, 65% identified as individual contributors. That generates a little bit more confidence that the data will be accurate, instead of a CTO or CIO answering the questions for the “best” division for each question, separated from the work. The majority of the respondents were working on web (86%) or web services (64%), with only 29% working on mobile apps and 37% on the desktop. Of the organizations surveyed, most agree with larger development groups; 68% have more than 25 developers.
One measure for the success of a DevOps implementation is frequency of deployment, but that can be a tricky measure. For example, a company with a dozen teams could deploy “twice a day,” which actually means each team deploys about once a week. According to the survey, 55% of the respondents deployed at least once a week–in context, that is probably at the team level.
The most interesting piece for me was the breakdown of tools. The survey breaks DecSecOps tools into 10 categories, and asks about the adoption of each. These include a Web Application Firewall, Open Source Governance, Intrusion Detection System, Static Analysis Security Testing (“code scanning”), Data Loss Prevention, Container Security, Dynamic Analysis (“penetration testing”), Software Composition Analysis, Interactive Application Security Testing (“human pen testing”), and Runtime Application Self Protection. Those terms came in rough numbers of adoption, with 51% of even the less-mature respondents has a web firewall, but only 20% of the more-mature respondents running self-protection at runtime.
Happy developers, grumpy developers
The survey asked developers if they were satisfied at work, if they would recommend friends to work at their company, and so on, then used the answers to bucket programmers into a “happy” or “grumpy.” From there Sonatype cross-cut the answers. For example, are happy developers more likely to use the advanced tools?
Happy developers were nearly twice as likely (65%) than grumpy developers (34%) to use security analysis in their work. Among those who do not run security analysis, those numbers were almost exactly inverted, at 34% of happy developers lacking the tools and 66% of the grumpies. The mature DevOps practices were more likely to have satisfied employees, as well, with 92% of high maturity respondents satisfied at work, and just 61% of the lower maturity shops. Grumpy developers also reported less awareness across the board of security tools, except for “Security Management” (at 20% happy / 22% grumpy) and Rumor, where 19% of grumpy developers indicated they were clued in versus 5% of happy developers.
The happy developers may be too busy actually getting things done.
I asked Derek Weeks, a vice president at Sonatype, to explain the survey, how the organization came to know about those tools, and for a real example of the impact of going without.
Sonatype keeps an email list with 160,000 software professionals that represent a broad selection of the industry. That at least reduced my first suspicion, that the people who self-select for this survey will be on the more highly involved, high-function side, leading to skewed results. For the questions, Sonatype pulled from a variety of advisors, including the DevOps Institute, Verica, the DevOps division of Carnegie Mellon’s Software Engineering Institute, Cloudbees, and DevOps.com. That meant the 10 categories of tools were a result more of consensus than a single opinion. The survey also asked people to self-select if they are high or low functioning in practice. After the self-selection, Sonatype did some double checking of its own. If you claimed to be high maturity but said your development method was waterfall and you release web software quarterly, the team would downgrade the selection.
I asked Weeks for an example of how DevSecOps practices could lead to a serious problem, and he pointed me to the recent SaltStack security issue. The maintainers of SaltStack made a patch available before announcing a security vulnerability. However, unless you knew you were using SaltStack, and had a governance system to check for fixes, your software could be exposed and on the internet, which did lead to a half-dozen security breaches the day after the announcement. The survey reported that 21% of respondents had had an open source security breach in the past year. Weeks said, “If anything, to be realistic, I expect that number should be higher.”