On March 21st, Sonatype, the company behind the Nexus repository, released the results of their 2017 DevSecOps Community Survey. Over 2292 tech professionals responded to questions about their DevOps maturity, their perception of security’s importance in the application lifecycle, and open source software. Of these respondents, 21% were Developers, 22% DevOps, 14% Architects, 12% team leads, and the rest were split between Build Managers, IT Operations, AppSec professionals, IT managers, and others. DZone worked with Sonatype to drive responses to this survey, and we wanted to share a taste of some of these interesting results. If you’d like to download all the results now, just visit this link from Sonatype.
When asked about the maturity of their DevOps practices, 26% of professionals believed that their organizations were following highly mature DevOps practices. 41% recognized that their teams were trying to improve their DevOps processes, and 33% admitted that their DevOps practices were immature.
Application security breaches have increased from 14% in Sonatype’s 2014 survey to 28% this year. Whether the frequency of attacks has increased, monitoring software has improved to the point where breaches can be caught quickly, or both, this growth over three years is a troubling number. Another interesting number is the ratio of developers to AppSec professionals: 100:1.
Nagatha Christie, Chief Security Officer
Application Security professionals traditionally have a bad reputation within developer circles, even those practicing DevOps. 54% of respondents see security pros as “nags who only point out vulnerabilities but…can’t resolve them.” In addition, 58% of all respondents saw security as an inhibitor to DevOps agility. When looking at the maturity of their DevOps processes, 47% of those in immature environments felt that security slowed things down compared to 28% of those in highly mature DevOps organizations.
That’s not to say that developers necessarily have a negative outlook on application security. According to the survey results, 50% of developers realize the importance of security, but feel like they don’t have the time to properly secure their applications. Out of all respondents, only 39% are automating security tests in their continuous integration and continuous delivery processes, while 58% of those with highly mature DevOps practices have automated their security testing.
It seems that the developer’s view towards security still has a long way to go before DevSecOps can start being seen as a true, executable best practice, rather than a pie-in-the-sky buzzword. One thing developers can do is to learn more about what vulnerabilities to look for and how to bake security testing and protection into the SDLC. To learn more about application security, visit our new Security Zone or read through our Guide to Application and Data Security. If you’d like to take a look at all of the survey results, you can download the full report at this link.