What is challenging successful DevSecOps adoption?
Mezmo published an ESG report which provides insights on DevSecOps adoption, its benefits, and the challenges with implementation. According to the study, only 22% of respondent organizations have developed a formal DevSecOps strategy integrating security into software development lifecycle (SDLC) processes, but an overwhelming percentage of those report a positive impact on accelerating incident detection (95%) and response (96%) efforts.
Based on a survey of 200 DevOps and IT/information security professionals, the report shows that more than half of respondent organizations using DevSecOps tools and processes experienced a significant reduction in incidents that occur in production. The greatest impact reported was on accelerating incident detection efforts, and nearly half reported significant improvements in incident response and remediation times.
Although adoption is low for now, the study also confirms potential growth in the industry with 62% of respondents saying their organization is actively evaluating use cases or has plans to implement DevSecOps.
“As organizations adopt modern software development processes leveraging cloud platforms, they are looking to incorporate security processes and controls into developer workflows,” said Melinda Marks, senior analyst at ESG. “This research shows DevSecOps can be a game changer for companies, and there is no doubt we will see growing market traction over the next few years.”
Factors limiting DevSecOps adoption and success
According to the research, there are distinct differences between the perceived and actual challenges of implementation. Companies believe that establishing a culture of collaboration and encouraging developers to leverage security best practices are nearly equal in importance to adopting DevSecOps tools. While it is common to anticipate cultural transformation to be a roadblock prior to adoption, those practicing DevSecOps report that technical limitations, such as data capture and analysis, are actually greater barriers to success.
Eighty-four percent of respondents believe that getting the right data and tools to developers is key for enabling success. But, as organizations increase the speed and volume of releases to serve more customers, they are collecting huge volumes of data. Organizations surveyed capture several (54%) or even hundreds (32%) of terabytes per month, with 6% capturing a petabyte or more per month.
This amount of data is costly to collect and store, and parsing through it for incident triage and response is time-consuming. In fact, 17.5 person hours is the average time it takes to triage and understand security incidents—an amount that 82% of companies would like to reduce. 69% of organizations do not capture certain data sources because of the high cost of storage/retention, which is problematic if there is an incident and the organization has incomplete data for a thorough analysis and/or timely response.
Making the most of your data with observability
The study shows that 91% of organizations are using multiple tools to get the most value out of their data, which makes it difficult for multiple groups to have access to the data they need to do their jobs. Not having a “single source of truth” is reported as the greatest challenge holding back teams.
“To move fast and build secure applications, companies need solutions that help them to fully harness the value of their data to drive better results,” said Tucker Callaway, CEO, Mezmo. “To achieve this, teams are looking for observability solutions that are flexible and scalable, with automation features to help improve data collection and analysis.”
Right now, 87% of companies are using open source tools as part or all of their observability stack because they are more customizable. But 84% believe it will become challenging to manage, adapt, and scale with these solutions. 98% of survey respondents, with titles across teams, from application developers to IT and security professionals, said they will likely investigate a managed observability solution over the next 12 months.