Survey: For DevOps Pros, It's 'Security, Security, Security'

The GitLab 2022 Global DevSecOps Survey is out, finding that security concerns are no longer being siloed and silenced in the push to get software out the door faster.

GitLab, provider of a namesake DevOps platform, illustrated that point with three bullet points from the survey:

  • The number one reason to implement a DevOps platform? Security. (And 75 percent of DevOps teams use a DevOps platform currently or plan to this year.)
  • The number one benefit of a DevOps platform? Security.
  • The number one investment priority for 2022? Security.
Who's in Charge?
[Click on image for larger view.] Who's in Charge? (source: GitLab).

In fact, when developers were asked about the most challenging parts of their jobs, more than 1,000 respondents answered with this: "Security, security, security."

The company said those results in its sixth annual survey represent a dramatic shift from previous years.

"The attention to security in DevOps teams doesn't stop there," GitLab said in an Aug. 23 blog post about the survey. "As our surveys have shown since 2020, DevOps roles continue to shift, and this year, many of those shifts were laser-focused on security:"

  • 53 percent of developers told us they're "fully responsible" for security in their organizations, a 14 point increase from 2021.
  • Over one-third of security pros report being "hands on" and involved on a daily basis with dev and ops, an 11 percent increase from last year (and a massive cultural shift from groups not always known to get along).
  • Almost 50 percent of ops pros say they're fully responsible for security in their organizations, up 20 percent from last year.

Furthermore, when the survey asked developers about the most difficult parts of their jobs, thousands of respondents mentioned security and security-related concerns, with GitLab saying responses from three developers summed things up:

  • "Cyber security attacks are the biggest concerns facing us today."
  • "Data security, data security, I repeat, data security."
  • "Trying to build applications that are secure and stable."

The survey polled more than 5,000 DevOps pros in May, finding secure software development is now an imperative for DevOps teams around the world.

While noting that dev and ops pros are taking on a larger share of security ownership in this year's report, GitLab noticed a change in responses among security pros from previous years to this year when they were asked how responsible they feel for application security in their organizations.

"In 2020 and 2021, the percentage of security pros who said they were fully responsible for security was roughly the same as those who said everyone was responsible," the report said. "This year the picture has changed dramatically: 43 percent of sec team members admitted to full ownership of security (a 12 percent jump from last year) but a resounding majority (53 percent) said everyone was responsible, a 25 percent increase from 2021."

Top Security Findings
[Click on image for larger view.] Top Security Findings (source: GitLab).

Other security-related data points from the report as presented by GitLab include:

  • For the second year in a row, a large majority of security pros (71 percent) rated their organization's security efforts as either "good" or "excellent." This was nearly identical to last year's assessment and certainly reflects the increasing focus on security we've seen throughout the survey.
  • As we saw starting last year, security roles are evolving. Nearly 29 percent of sec pros said they're now part of a cross-functional team (identical to 2021's findings), while 28 percent are now more focused on compliance and 35 percent are more involved in daily tasks/more hands-on, an 11-point jump from last year. About 48 percent of survey takers said their roles aren't changing, but 10 percent said they have more budget, and 7 percent have more influence over engineering decisions.
  • Last year 60 percent of respondents said their organizations had nothing in place to secure cloud native and serverless, but this year 53 percent of teams have built it in.
  • When it comes to what will help them most in their future careers, a majority of security pros (54 percent) said AI/ML, followed by communication and collaboration (33 percent), and advanced programming (32 percent). Since our 2020 survey, security pros have been consistent about the critical importance of soft skills, but the interest in AI/ML jumped 33 percent from 2021 to 2022.
  • Microservices and containers continue to gain traction in DevOps teams, but security processes to monitor them continue to lag. Just 65 percent of sec pros said they had a security plan for microservices and just 64 percent said they had one for containers. The security outlook is a bit brighter when it comes to cloud native and serverless, however. Last year 60 percent of respondents said their organizations had nothing in place to secure cloud native and serverless, but this year 53 percent of teams have built it in.

The report also features data on other aspects of DevSecOps beyond security, as evidenced by these data points:

  • 47 percent of teams have full test automation, nearly double the number in 2021.
  • 70 percent of teams release code continuously, once a day, or every few days, up 11 percent from last year.
  • Nearly three-quarters of DevOps teams are using a DevOps platform or plan to this year.
  • DevOps roles continue to shift: Developers are taking on ops jobs, ops is cloud or platform-engineering focused, and security pros are "hands on" inside dev teams.
  • 31 percent of teams are using AI/ML for code review, 16 points higher than last year.
  • 60 percent of developers are releasing code faster than before.
  • 69 percent of survey takers want to consolidate their (sometimes sprawling) toolchains because of challenges with monitoring, development delays, and unhappy devs.
  • 70 percent of teams deploy multiple times a day, daily, or every few days, up 11 percent from 2021.
  • 54 percent of ops pros are managing hardware infrastructure all or most of the time.
  • 52 percent of ops pros manage cloud services all or most of the time.
  • 32 percent of ops pros manage hardware infrastructure "sometimes."
  • 31 percent of ops pros manage cloud services "sometimes."

While noting that the survey provided data about challenges such as pandemic-based culture changes, hiring and retention struggles, and the level of effort required to integrate complex new technologies like artificial intelligence, GitLab brought the gist back to security.

"If there was one overarching concern, it was the very real threat security breaches represent. While security continues to 'shift left' in many teams, it also is, perhaps for the first time, a driving force for many decision makers when it comes to choosing a DevOps platform or other technologies. The threat of security breaches is also top of mind for many DevOps teams."

About the Author

David Ramel is an editor and writer for Converge360.


Subscribe on YouTube