Set against a backdrop of macroeconomic factors, including lingering inflation and supply chain challenges, DevSecOps continues to make business sense for more organizations. GitLab surveyed more than 5,000 leaders in development, security, and IT roles for its 2023 Global DevSecOps Report and found 56 percent use DevOps or DevSecOps methods, an increase of 9 percent over 2022. The survey reveals that benefits driving adoption include heightened security, efficiency, cost savings, automation, and enhanced collaboration.
The Shift Left
With cyberattacks becoming ever more sophisticated, respondents keep security top of mind as a priority and as a key issue challenging software development. Investment in security ranks second only to cloud computing spend. Topping security professionals’ lists of current priorities are license compliance checks and cloud-native or serverless security capabilities.
Additionally, 29 percent see shifting security left as their main focus for the future. Business leaders and IT professionals list the benefits of moving security to an earlier phase of the software development cycle as:
- Reducing silos: When security is built into development processes from the start, development, security, and operations teams collaborate throughout the project.
- Shared responsibility: Because cross-functional teams work together through development, developers, security professionals, and operations staff all take ownership of software security.
- Cost savings: Shifting left allows teams to find and address vulnerabilities early, saving more costly rework – or cyberattacks and data breaches – later.
The GitLab survey reveals that 74 percent of security professionals have already shifted left or plan to in the near future. As the shift left continues, organizations tend to migrate away from legacy software development methodologies and toward DevSecOps.
Testing, Toolchain Management – and Lingering Frustrations
Despite progress in DevSecOps, testing remains a pain point. Professionals report that teams are testing too late in the process. Additionally, they struggle with an excessive number of false positives and difficulties related to remediation, slow projects, and time to market. One of the report’s recommendations is for organizations to focus on integrating testing into DevSecOps workflows as they advance their efforts to shift security left.
Business leaders, developers, and IT professionals also report that using and managing multiple tools is another pain point. They agree that reducing or consolidating the number of tools they use would support monitoring consistency, lower barriers to compliance, and make it easier to collect and analyze data from tools to enable better decision-making.
The Rise of AI and ML
Artificial intelligence (AI) and machine learning (ML) are helping to streamline security testing, checking code, and other QA/QC processes. More than half of developers (65 percent) are either using AI or ML for testing or plan to in the near future, and 62 percent use it to check code.
However, the efficiency of leveraging AI and ML for testing is accompanied by some concerns — especially among security professionals. Nearly 70 percent cite concern about the impact of AI and ML on their jobs. Moreover, some worry that errors introduced by AI or ML could make their jobs more difficult.
One notable finding compared to the 2022 survey is that security professionals no longer view AI and ML skills as most important for furthering their careers. In 2023, they believe soft skills, such as collaboration and communication, are more valuable.
Make Progress on the Journey
More organizations are adopting DevSecOps/DevOps methodologies, moving security closer to developers, and embracing AI/ML. However, toolchains need to be consolidated, and industry professionals recognize that they need all the tools and skills necessary to reap the full benefits of new technologies.
Perfecting DevSecOps is a continual process, particularly as industry, technology, and economic factors change. Maintain an accurate view of the landscape, stay agile, and adapt your strategy for the best outcomes.