The findings from our 2019 State of DevOps Report are in, and we’re excited to share them with you. Our eighth annual report shows definitively that practicing DevOps well also means doing security well.
Analysis of survey results from nearly 3,000 technical professionals and executives reveals that organizations which have evolved their DevOps practices to a high level have also achieved a high level of security. They've done this by successfully integrating security practices into the software development lifecycle from its very earliest stages. In this year’s State of DevOps Report, we tell you which practices lead to both high performance and a stronger security stance, so you can adopt these practices and realize the same benefits.
The 2018 State of DevOps Report showed that organizations in the more advanced stages of DevOps evolution place high emphasis on security practices. Teams at these higher levels of DevOps practice have automated their security policies, and they involve the security experts in their organizations very early in the software development lifecycle — actually, from the planning and design phases.
As we shared these findings with companies around the world, people kept asking us the same questions: “How can we integrate security practices into our DevOps practice? And what results can we expect?” So as we sat down to plan this year’s State of DevOps survey, we designed questions that would help us uncover any common patterns and practices for integrating security that are employed by highly evolved organizations. We also designed questions to learn whether tighter integration results in better business outcomes.
I asked my fellow co-authors — Nigel Kersten, Andi Mann and Michael Stahnke — to share what most surprised or excited them in this year’s State of DevOps Report. Here are their hot takes.
Michael Stahnke, VP of Platform Engineering at CircleCI
It shouldn’t surprise anyone that integrating security into the software cycle requires intentional effort and deep collaboration across teams. What did surprise me, however, was that the practices that promote cross-team collaboration had the biggest impact on the teams’ confidence in their organization’s security posture. Turns out, empathy and trust aren’t automatable.
Another thing that really surprises me is the lack of cynicism surrounding audits and their usefulness. This leads me to believe either I’ve been living in a dystopian past, or people lie on surveys.
Nigel Kersten, Field CTO at Puppet
It was interesting to discover it doesn’t matter how your teams are structured, so long as you have someone focused on security collaborating closely with development, test, and operations teams throughout the software delivery lifecycle. You don’t need to have purely autonomous project teams that report to the same person, or that are even in the same department. What matters most is everyone working together towards the common goal of making the software more secure.
This means you can experiment with your existing team structure and prove that a new model can work; you don’t have to reorganize your entire company. You don’t need to place a big bet to create a pocket of success — you just have to trust a small team and support them.
Andi Mann, Chief Technology Advocate at Splunk
I am excited about how prescriptive this year’s research allowed us to be. DevOps and SecOps are both complex disciplines, so I fully expected many bell curves with no clear winners. Not at all! The research clearly identifies a set of specific, actionable known-good practices — such as collaborating on threat models, or letting SecOps add to the development backlog — that align with positive security and delivery outcomes. It's cool to show that DevSecOps works, but so much cooler to show how it works.
As for me, my favorite finding is that, despite what you hear at conferences, DevOps is not all sunshine and rainbows. Integrating security into the software delivery lifecycle is messy, and things often get worse before they get better, due to the discomfort of doing things so differently. This is a pattern we’ve observed in previous reports, and it echoes what we hear from companies who are going through this evolution. So if you sometimes feel like the DevOps goth at a Hanson concert circa 1997, it’s good to know you’re not alone.
I can’t limit myself to just that one observation, though. There’s a lot more I found striking in this year’s DevOps Report. I was pleased to see that integrating security early benefits organizational and business performance. For example, you’d think the additional work of integrating security would make it harder to deploy to production on demand. In fact, it improves the situation. Almost two-thirds of the surveyed organizations that have achieved the most advanced levels of security integration are able deploy on demand, compared to fewer than half of organizations that have not integrated security into the software development lifecycle.
In another example — and this one is less surprising — the firms that have integrated security most deeply are able to remediate critical security issues faster than less advanced organizations. While the difference isn’t enormous, it is statistically significant, and certainly, being able to remediate even a little faster can make a huge difference to a business with significant online operations. Who doesn’t have significant online operations these days?
An aspect of DevOps that always grabs my interest is how much DevOps practices improve people’s morale and happiness at work. It was good to learn that integrating security deeply not only makes teams far more confident in the security of their software and systems, it also makes people feel that security is a shared responsibility. And where people share, they are happier.
Special thanks to all of our wonderful sponsors this year: Anitian, CircleCI, F5, ServiceNow and Splunk. We so appreciate that you support DevOps values and help us bring this research to a wider audience.
Alanna Brown is senior director of community and developer relations at Puppet, and was the original creator of the State of DevOps Report and a co-author since its inception in 2012.