In February 2020, nearly 3700 DevOps practitioners from 21 countries shared, often in their own words, the reality of their software development journeys. They told us DevOps works for them: Nearly 83% said they’re releasing code faster and about 60% are deploying code either multiple times a day, daily, or every other day. But they also offered details of a less obvious but perhaps more important shift – their roles are changing, in some cases dramatically, because of DevOps.
Although this survey was completed before today’s unprecedented economic upheaval, we think the insights in our 2020 Global DevSecOps Survey may help you get a greater understanding of real world DevOps and the way job responsibilities are changing for developers, security pros, operations team members, and testers.
Dev + Ops
Why are developers releasing code more quickly with DevOps? For starters, they’re adding some of the key DevOps components including CI, SCM, automated testing, and CD.
"Pre-deployment tests have provided more confidence that the product is ready to be released, also delivery frequency has increased."
But the technology changes only tell part of the story. Traditional operations-type duties like provisioning or maintaining environments are increasingly part of development responsibilities. Over 34% of developers say they define and/or create the infrastructure their app runs on.
"Deployment has become a non-task. Bootstrapping new projects is 10x faster because of the reusable infrastructure."
Developers say they’re no longer doing lots of hands-on tasks – like manual testing, deployments or merging – but they are increasingly responsible for security. In fact 28% say they’re now solely responsible for security in their organizations, a clear sign that security is beginning to "shift left" in a material way.
"Security varies project to project. DevOps is usually tasked with 'protecting' our environments. We devs try to follow industry standards code-wise."
An uneasy alliance
Although security remains a work in progress at many if not most organizations, there are a few signs that DevSecOps is actually happening. Security professionals report that they are (finally) part of cross-functional teams and are working more closely with developers than ever before.
"(Security) is becoming less focused into silo positions and more of a jack of all trades role."
In fact 65% of security teams say their organizations have "shifted left" though, when we drilled down to find out what that actually meant, the details became much less clear. Fewer than 19% put SAST scan results into a pipeline report a developer can access and dynamic application security testing (DAST) fares even worse – less than 14% of companies give developers access to those reports.
At the same time, security teams continue to report that developers don't find enough bugs early enough in the process and/or that they’re reluctant to fix them when they are discovered.
To add to the confusion, 33% of security pros say they’re solely responsible for security in their organizations. But nearly the same percentage – 29% – say everyone is responsible. The ideal, of course, is what was shared by one survey taker:
"We don’t have separate security, developers and operations; we are DevSecOps (and more)."
In the clouds
Operations is often the place where the proverbial rubber hits the road and that’s particularly true with DevOps. In fact over 60% of operations team members report their roles are changing thanks to DevOps.
What do these new roles look like?
"Ops is 60% new project work and 40% operations/fire-fighting/developer support."
"We ensure reliability and availability, improve developer efficiency, automation, tools, and observability."
"We keep the lights on."
"(Ops today is) anything between dev and ops. From planning to deployment but not monitoring and maintaining apps in production."
Today 42% of operations team members see their role as primarily managing hardware and infrastructure, while 52% say their first priority is managing cloud services.
The trouble with test
For the second year in a row our survey takers have pointed squarely to testing as the number one reason releases are delayed. Last year 49% said test was at fault; this year it was 47%.
But there are small signs of change. Almost three-quarters of organizations report they have shifted testing left, meaning they’ve moved it earlier into the development process. What does that actually mean? Approximately 31% said developers test some of their code and 25% said automated testing happens as code is being written. About 17% said dev and test work as a team to test "as close to real time as possible," and about 9% said they practice test-driven development (TDD).
"We do TDD. QA and dev act as a team. We have automated tests running parallel with developing code."
Like security, testers say they are now much more involved in the development process. Nearly 30% said they’re working more closely with developers, and 16% said they have "a more visible seat at the table." And just over 15% said that thanks to DevOps, they’re much more likely to be able to "test what matters."
"We have to write less paper and tickets and have faster reaction times."
"We’re all the same – dev team is the ops team."
"We’re starting to see light at the end of the tunnel."
Our respondents had a big list of areas they hope to focus on for the future from automation to CI/CD and even going more deeply into DevOps. DevOps and lifelong learning clearly go hand in hand.
But let’s end on a high note. We asked developers how prepared they are for the future: 71% said prepared or very prepared, while less than 25% said "not very prepared." But we like this comment left from one developer, who has the lifelong learning baked in:
"I’m only prepared because I constantly keep tinkering on the side."