Security investment, toolchain consolidation emerge as top priorities

Security investment, toolchain consolidation emerge as top priorities

Professional IT Programer Working in Data Center on Desktop Computer with Three Displays, Doing Development of Software and Hardware. Displays Show Blockchain, Data Network Architecture Concept
Image: Gorodenkoff/Adobe Stock

After two years of high adoption, nearly three-quarters of respondents have adopted or plan to adopt a DevOps platform within the year to meet rising industry expectations around security, compliance, toolchain consolidation and faster software delivery, according to a new survey by GitLab.

Not surprisingly, the 2022 survey results highlight security as the highest-priority investment area for organizations, with more than half of security team members stating their organizations have either shifted security left or plan to this year, according to the survey.

Toolchain consolidation is also a high-priority focus, with 69% of survey takers wanting to consolidate their toolchains due to challenges with monitoring, development delays and negative impact on developer experience.

Security is both a top challenge and a top area of investment

Security has surpassed even cloud computing as the number one investment area across DevOps teams at global organizations. However, despite a desire to shift security left, many companies are still nascent in their approach and results — only 10% of respondents reported receiving additional funding for security, the GitLab survey found.

SEE: Mobile device security policy (TechRepublic Premium)

Data continues to support the ongoing trend of misalignment between security and development teams. Over half of survey respondents stated that security is a performance metric for developers within their organizations, but 50% of security professionals report that developers are failing to identify 75% of vulnerabilities.

In order to align performance metrics with reality, developers must be incentivized to practice security protocols and be provided with full visibility into the toolchain and potential risks.

When security collaboration is achieved, organizations produce great results. Development, security, and operations teams broadly noted better security as a key advantage of a DevOps platform. Survey data demonstrated that a commitment to security was a driving force for many decision-makers when choosing a DevOps platform or other tools. Additionally, investing in a single platform allows practitioners to take advantage of more features with fewer tools and fewer expenses.

Plans to consolidate tech stacks skyrocket

Although 60% of developers surveyed are releasing code faster than before, toolchain sprawl is impacting speed and productivity, taking valuable time away from developers. Nearly 40% of developers are spending between one-quarter and one-half of their time on maintaining or integrating complex toolchains — more than double the percentage from 2021.

Consequently, 69% of those surveyed reported that they would like to consolidate their toolchains. Primary concerns surrounding toolchain management include challenges around consistently monitoring a myriad of tools and difficulty context switching, as well as slowed development velocity, increased costs and retention, according to the report.

“The last year marked a significant turning point in the adoption of DevOps tools, platforms and processes,” said David DeSanto, vice president of product at GitLab, in a statement. “In 2022, we’re seeing the fruits of those efforts. Despite hurdles presented by the ongoing pandemic, including cultural shifts, all remote and hybrid team collaboration, and challenges surrounding hiring and retention, teams are releasing new applications faster than ever.”

DeSanto predicted there will be an ongoing focus on speed, security and compliance as organizations continue to consolidate their DevOps toolchains and processes.

Public sector lagging on DevSecOps

However, the trend toward speedy software releases is mainly restricted to the private sector, as the survey found that the speed of software delivery within the public sector stalled from the previous year, with 59% of government respondents reporting the same rate of delivery or slower than in 2021.

While it is encouraging to see that half of U.S. government respondents have adopted a DevSecOps platform, “there’s still a ways to go for the public sector to catch up with its private sector counterpart in terms of software release speed and innovation,” said Bob Stevens, vice president of public sector at GitLab, in a statement. “Government agencies must invest in tools that enable rapid software delivery to meet the needs of service members and citizens or risk stagnation and even attacks.”

Overall, the data shows that releases are occurring faster than ever and developers pointed to investment in a DevOps platform as the reason why.

The rapid adoption of DevOps in 2021 drove rapid software delivery, better code quality and improved developer productivity. Key challenges and opportunities for the upcoming year include tool consolidation, an increased focus on security and compliance, and a continued effort to align development and security teams.

Industry observers say developers and security teams must collaborate

Tim Mackey, principal security strategist at the Synopsys Cybersecurity Research Center, said that because DevOps platforms touch the software powering a business, “when choosing any DevOps platform, the security of the platform itself and the security competencies it enables should always be ‘must haves.’ In effect, any decision about new software should be based on how it improves the current security capabilities of the business.”

It’s risky for organizations to depend on development teams alone for security, said Michelle McLean, vice president of API security provider Salt Security. Security and developer teams must collaborate and work together to ensure security at every point in the application lifecycle.

“It’s fundamentally important to choose a DevOps platform that either has security capabilities built-in or that can easily integrate with security platforms to facilitate collaboration by security and DevOps teams,’’ McLean said. “Otherwise, organizations run the risk of pushing out unsecured software or introducing other risks into the software supply chain.”

If teams can manage and implement security in a seamless and efficient way early in the development process, it’s easier and cheaper to address issues than addressing them after the code has already shipped — and that’s without adding in breach or liability costs, observed John Bambenek, principal threat hunter at Netenrich, a security and operations analytics SaaS company.

“You can either fix it in dev or in prod, but you’re going to have to fix it sooner or later.”

GitLab surveyed 5,001 software professionals worldwide in May 2022.

Source of Article