Looking for a DevSecOps maturity model that works? Start with our 2021 Global Survey

Chrissie Buchanan ·
May 18, 2021 · 2 min read · Leave a comment

In our just released 2021 Survey, 4300 people told us about their successes and their challenges, but in some ways the biggest takeaway were the signs of a burgeoning DevSecOps maturity model. Somehow, when Covid and DevOps collided, big things started to happen particularly around DevSecOps.

Yes, Virginia, there is a DevSecOps

More teams are doing DevSecOps than ever before – and doing it well. Fully 72% of security professionals rated their organizations' security efforts as "strong" or "good," a significant increase from 59% the year before. This shows us that investments in security and the cultural shifts from DevOps to DevSecOps are paying off.

That's right, we're shifting left

Anonymous DevSecOps survey response

Over 70% of security pros said their teams have shifted left and moved security earlier into the development lifecycle. So who's in charge? That's still an open question in this new DevSecOps maturity model. Almost 31% of security pros told us they were the ones in charge, but 28% said everyone that was responsible, almost identical to last year's survey. And when it came to finding bugs, 77% of security pros admitted to being the exterminators in their org (not devs) after code is merged in a test environment.

So how is it shifting left? While there are some conflicting responses (Devs! Security! Devs! Security!) – the truth is probably somewhere in the testing.

The SAST and the furious

In this new DevSecOps maturity model there is simply more testing (and that's never a bad thing). Today, 53% of developers run SAST scans (a 13% increase from last year) and 44% run DAST scans (a 17% increase from last year). Better yet, over 50% of security pros report their devs scan containers, run dependency scans, and do license compliance checks. That's all excellent news! So all testing issues are solved, right? Well, not exactly.

Security testing remains a sticking point. While security pros agreed that their teams are shifting left, testing still happens too late in the process (over 42%), and it's still was a struggle to fix vulnerabilities. While security is finding most of the bugs, almost 37% of them said it was tough to track the status of the bug fixes, and 33% said it was hard to prioritize the remediations. Finally, 32% said just finding someone to fix the problems was a headache too.

DevSecOps survey results

In spite of everything thrown at them over the last year, DevOps teams are innovating and collaborating on problems like never before, and this year's DevSecOps survey results are showing just how far we've come. Still, there are opportunities for growth and security challenges left to solve.

Is 2021 the start of a real DevSecOps maturity model? Download the report and learn about the practices and processes that are shaping the way we deliver software.

Try all GitLab features - free for 30 days

GitLab is more than just source code management or CI/CD. It is a full software development lifecycle & DevOps tool in a single application.

Try GitLab Free
Git is a trademark of Software Freedom Conservancy and our use of 'GitLab' is under license

Try the GitLab DevOps Platform for free for 30 days

Achieve higher productivity, faster and secure deployments

Start your free trial Maybe later