Apr 16th 2018

Sonatype survey reveals massive data breaches are catalysts for DevSecOps investments

While application breaches jumped 55%, emerging DevSecOps practices grew 15%

SAN FRANCISCO – RSA Conference – April 16, 2018 Sonatype, the leader in open source governance and DevSecOps automation, today published findings from its fifth annual DevSecOps Community Survey of 2,076 IT professionals.  The survey shares practitioner perspectives on evolving DevSecOps practices, shifting investments, and changing perceptions.

Survey respondents revealed that breaches related to open source components grew at a staggering 50% since 2017, and 121% since 2014. This follows on from Sonatype’s findings earlier in the year, which showed that 1 in 8 open source components downloaded by developers in the UK contained a known security vulnerability.

Yet despite this, resourcing and training still presents challenges: 48% of respondents admitted that they don’t have enough time to spend on application security, while 35% of developers from companies with no DevOps practices received no training on application security in the past year.

The results also revealed that developers outnumber security professionals by 100:1, highlighting the urgent need for automated application security testing to mitigate risks and improve business productivity.

The findings demonstrated that more organisations are waking up to this approach, with mature DevOps practices showed a 15% year over year growth in applying security practices throughout the development lifecycle.

The survey found that those companies with mature DevOps practices are 24% more likely to have deployed automated security practices throughout their development lifecycle.  Investments in open source governance, container security, and web application firewalls were noted as the most critical to companies pursuing DevSecOps transformations.

Other key findings from the survey include:

  • 77% of mature DevOps organisations have open source policies in place, with a 76% adherence rate. Conversely, only 58% of respondents without mature DevOps practices had a policy with a 54% adherence rate – revealing that DevSecOps automation is difficult to ignore
  • 59% of mature DevOps companies are building more security automation into their development process as attention toward GDPR compliance grows
  • 88% of those with mature DevOps practices are investing in application security training, while 35% with immature practices said they had no access to security training. This finding points to stronger cybersecurity readiness postures of those investing in DevOps
  • 63% of respondents with mature DevOps practices say they leverage security products to identify vulnerabilities in containers, as these components become more ubiquitous in modern IT landscapes
  • 48% of respondents admitted that Developers know application security is important, but they don’t have the time to spend on it, shedding light on the growth in automated security