Global rise in DevSecOps but role uncertainty persists – GitLab study
The line between development teams, security teams, and operations teams continues to blur into the culmination of DevOps and DevSecOps, according to those working in the industry.
Rising rates of DevOps adoption and tool choices are leading to job function changes, and organisation charts across development, security, and operations.
GitLab reports that DevOps practitioners are working with faster release times, continuous integration and deployment, and progress towards shifting test and security ‘left’, says GitLab CEO and cofounder Sid Sijbrandij.
“That said, there is still significant work to be done, particularly in the areas of testing and security. We look forward to seeing improvements in collaboration and testing across teams as they adjust to utilising new technologies and job roles become more fluid.”
The GitLab Global DevSecOps Survey explains that teams must understand how the role of the developer is changing, and how it affects security, operations, and test teams.
35% of developers say they define and/or create the infrastructure their app runs on, but only 14% monitor and respond to that infrastructure. This is traditionally a role held by operations. Additionally, more than 18% of developers instrument code for production monitoring, while 12% serve as an escalation point when there are incidents.
Furthermore, 83% of developers report being able to release code more quickly after adopting DevOps. continuous integration and continuous delivery (CI/CD) is also proven to help reduce time for building and deploying applications – 38% said their DevOps implementations include CI/CD.
An additional 29% said their DevOps implementations include test automation, 16% said DevSecOps, and nearly 9% use multi-cloud.
Automated testing is on the rise, but only 12% claim to have full test automation. And, while 60% of companies report deploying multiple times a day, once a day or once every few days, over 42% say testing happens too late in the development lifecycle.
There is increasing uncertainty from both developers and security teams over who should take responsibility for security development.
More than 25% of developers reported feeling solely responsible for security, compared to testers (23%) and operations professionals (21%).
Additionally, 33% of security team members say that they ‘own’ security, while 29% say everyone should be responsible.
Despite questions of ownership, security teams continue to report that developers are not finding enough bugs at the earliest stages of development and are slow to prioritize fixing them – a finding consistent with last year’s survey.
More than 42% of security respondents say that testing still happens too late in the life cycle, while 36% reported it was hard to understand, process, and fix any discovered vulnerabilities, and 31% found prioritising vulnerability remediation an uphill battle.
“Although there is an industry-wide push to shift left, our research shows that greater clarity is needed on how teams’ daily responsibilities are changing, because it impacts the entire organisation’s security proficiency,” comments GitLab vice president of security, Johnathan Hunt.
“Security teams need to implement concrete processes for the adoption of new tools and deployments in order to increase development efficiency and security capabilities.”
GitLab surveyed more than 3,650 software professionals from 21 countries worldwide.