2019 State of DevOps Report Reveals Shifting Security Left is Insufficient

PORTLAND, Ore., Sept. 25, 2019 (GLOBE NEWSWIRE) -- Puppet, the standard for automating the delivery and operation of the software that powers everything around us, today announced the findings of the 2019 State of DevOps Report. Over the past eight years, Puppet has surveyed over 33,000 technical professionals to develop the longest-standing and most widely referenced DevOps research in the industry. This year, nearly 3,000 respondents from around the world participated in the report, which was written by Puppet, CircleCI and Splunk Inc.

Organizations Must Fundamentally Change How They Work Earlier in the Software Delivery Cycle

The 2019 State of DevOps Report reveals patterns and practices that help organizations integrate security into the software development lifecycle. The report found that teams at higher levels of DevOps evolution have automated their security policies, and they involve the security experts in their organizations very early in the software development lifecycle — actually, from the planning and design phases.

Higher DevOps Evolution = More Integrated Security

Twenty-two percent of the firms at the highest level of security integration have reached an advanced stage of DevOps evolution compared to only 6 percent of the firms with no security integration. These firms have achieved not only the ability to ensure customer data stays safe but also to drive new products to market faster. “The DevOps principles that drive positive outcomes for software development — culture, automation, measurement and sharing — are the same principles that drive positive security outcomes,” said Alanna Brown, Senior Director of Community and Developer Relations at Puppet and author of the State of DevOps report. “Organizations that are serious about improving their security practices and posture should start by adopting DevOps practices.” The survey found:

• Security doesn’t have to take a back seat to feature delivery. Firms at the highest level of security integration are able to deploy to production on demand at a significantly higher rate than firms at all other levels of integration — 61 percent are able to do so. Compare this with organizations that have not integrated security at all: Fewer than half (49 percent) can deploy on demand.
• Time to remediate vulnerabilities did not dramatically decrease at higher levels of security integration but it did slightly decrease. While very few firms are able to remediate vulnerabilities in less than one hour (7 percent of total respondents could), 11 percent of firms at the highest level of security integration are able to.
• Cross-team collaboration builds confidence in an organization’s security posture. Eighty-two percent of survey respondents at firms with the highest level of security integration said their security policies and practices significantly improve their firm’s security posture. Compare this with respondents at firms with no security integration — just 38 percent had that level of confidence.
• The more security is integrated into the software delivery lifecycle, the more delivery teams see security as a shared responsibility. Firms integrating security throughout the lifecycle are more than twice as likely to be able to stop a push to production for a medium security vulnerability to ensure their customers are protected from the risk or releasing insecure code.
• Security integration is messy, especially in the middle stages of evolution. In these middle stages, security and delivery teams experience higher friction while collaborating, software delivery slows down, and audit issues both increase and require immediate attention. Friction is even higher for respondents who work in security jobs than those who work in non-security jobs. But, if they stick with it, security teams will reap the rewards of that hard work and start seeing quicker results —79 percent of the companies surveyed were in this stage.

"Empathy and Trust Aren't Automatable"

“It shouldn’t be a surprise to anyone that integrating security into the software delivery lifecycle requires intentional effort and deep collaboration across teams,” said Michael Stahnke, VP of Platform Engineering, CircleCI. “What did surprise me, however, was that the practices that promote cross-team collaboration had the biggest impact on the teams’ confidence in the organization’s security posture. Turns out, empathy and trust aren’t automatable.”

“This year’s report reinforces Splunk’s belief on how important it is to take a collaborative and integrated approach to service delivery,” said Andi Mann, Chief Technology Advocate, Splunk. “The 2019 State of DevOps Report proves that aligning Development, IT Operations, SRE, Incident Response, Security, and Business Analytics teams across organizations enables all stakeholders to deliver improved, more secure software services.”

Five Practices that Improve Security Posture

Firms that have integrated security at all stages of delivery collaborate early, often and most importantly, deeply. The survey revealed the top five practices that improve security posture are:

• Security and development teams collaborate on threat models.
• Security tools are integrated in the development integration pipeline so engineers can be confident they’re not inadvertently introducing known security problems into their codebases.
• Security requirements, both functional and non-functional, are prioritized as part of the product backlog.
• Security experts evaluate automated tests, and are called upon to review changes in high-risk areas of the code (such as authentication systems, cryptography, etc.).
• Infrastructure-related security policies are reviewed before deployment.

Notes

The full 2019 State of DevOps Report is available for download at https://puppet.com/resources/history-of-devops-reports. Sponsors of the report include Anitian, F5 Networks, and ServiceNow.

Report Methodology

The survey collected data from technical professionals with a working knowledge of their IT operations and software delivery process. A third-party research firm, OnResearch, hosted the survey and conducted the data analysis. The resulting report was written by Puppet, CircleCI and Splunk. Splunk participation involved providing analysis and commentary to the report findings. All other opinions and writings in the report were completed by Puppet and CircleCI.

Supporting Quotes

• “Puppet’s State of DevOps report provides outstanding insights into the ongoing challenges of integrating security and DevOps teams,” said Andrew Plato, CEO, Anitian. “While the report outlines many problems, it also highlights the gains that arise when DevOps and security are fully integrated. These benefits include increased security effectiveness, more robust risk management, and tighter alignment of business and security goals. These insights mirror our experiences at Anitian implementing our security automation platform. We are proud to be a sponsor of the State of DevOps report as well as a technology partner with Puppet. We anticipate referencing this report regularly in our engagement with our customers as well as the DevOps and security communities.”
• “Integrating security into CI/CD pipelines is the most critical, as well as the most challenging and overlooked aspect of rapid deployment of applications,” said Geng Lin, Executive Vice President and Chief Technology Officer, F5 Networks. “Empowering organizations to accelerate the time it takes to go from code to customer, while effectively mitigating risk, drives tremendous business value and a competitive edge."