How Good Have Developers Been at Shifting Left?

Development teams report their organizations are addressing security sooner — but does that necessarily mean they’re doing it more effectively?

shift left

One of the insights in GitLab’s Mapping the DevSecOps Landscape 2020 Survey Results report seems to sum up the challenges that security poses for DevOps teams pretty well: “The subject of security is a tricky one, no matter where you sit in a development organization.” Of the more than 3,650 professionals worldwide, including software developers, software engineers, DevOps engineers and software architects responding to the survey, 65 percent say their processes have shifted left, handling security earlier in the development process.

However, GitLab found that only 24 percent have static application security testing (SAST) in a web integrated development environment (IDE) to uncover security vulnerabilities. Furthermore, fewer than 19 percent of respondents’ organizations give developers easy access to SAST reports. The numbers on dynamic application security testing (DAST) are even lower, with only 14 percent giving developers access to DAST reports.

It’s important to remember that even when the right tools are in place, however, all of the onus isn’t on the organization. Developers themselves also fall short when it comes to security and its shift left. The survey found more than 60 percent don’t run SAST scans, and 73 percent don’t run DAST scans. Furthermore, 56 percent don’t run container scans, about 50 percent skip compliance scans, and about 43 percent don’t run dependency scans.

What Needs to Change

Survey respondents shared their views on where their organizations can do better to facilitate application security and testing:

  • 42 percent stress that security still needs to shift left — it still is addressed too late in the development cycle.
  • 36 percent say it’s too hard to understand and fix vulnerabilities.
  • 31 percent report that it’s a fight to get their organizations to prioritize security.
  • 30 percent say it’s hard to find someone with the skills to fix the bugs they identify.

GitLab also found that most organizations do not have processes designed to monitor and protect application technologies such as microservices, APIs and containers. And, when it comes to serverless and cloud-native, 64 percent say they have no security capabilities.

In terms of process, 62 percent say security leadership has the capability of developing an accurate picture of how their team is performing, while 53 percent say this is hindered by “red tape.”

Who is Responsible for Security?

It appears that there is no definitive job description in the industry that includes security. Of respondents to GitLab’s survey, 32.54 percent say security falls to their security group; 20.54 percent says developers; 11.85 says operations, and 29.23 say “all of the above.” Unfortunately, 2.84 percent say no one.

Specifically, among people identifying themselves as developers, 28 percent say they are completely responsible for security, 41 percent say they are responsible for security as a part of a team, and 21 percent say they leave the responsibility for security to someone else.

A DevOps Developer’s Outlook for the Future

About 29 percent of developers, along with professionals in operations, security and testing, state that soft skills, such as communication and collaboration, will be the most important to their career development. Following in terms of important skills they’ll need in the future are artificial intelligence and machine learning, 22 percent, and GitOps, 17 percent. Almost 15 percent state that the greatest benefit will come from knowing advanced programming languages.

GitLab comments that the respondents to their survey also express that they could benefit from a better understanding of DevOps overall, and some others want to learn more about low code and no code, containers, serverless, and infrastructure as code.

Looking ahead, 71 percent feel prepared for the future, 24 percent say “they’re not very prepared,” and 7 percent classify themselves as “overwhelmed.”

For more extensive insights on how well developers’ efforts to shift left are progressing and information on other topics, including insights on developers’ changing roles, operations and testing, download GitLab’s Mapping the DevSecOps Landscape 2020 Survey Results.