The days of security as a “nice to have” are officially over as we enter the era of DevSecOps. In our 2022 Global DevSecOps Survey of more than 5,000 practitioners, security was the driving force behind technology choices, team structure, DevOps platform use, and more.
The findings from our sixth annual survey represent a dramatic shift from past years, when security teams – and security concerns – were often siloed and silenced in the push to get software out the door faster.
Nothing could be further from the truth today:
The number one reason to implement a DevOps platform? Security. (And 75% of DevOps teams use a DevOps platform currently or plan to this year.)
The number one benefit of a DevOps platform? Security.
The number one investment priority for 2022? Security.
The attention to security in DevOps teams doesn’t stop there. As our surveys have shown since 2020, DevOps roles continue to shift, and this year, many of those shifts were laser-focused on security.
53% of developers told us they’re “fully responsible” for security in their organizations, a 14 point increase from 2021.
Over one-third of security pros report being “hands on” and involved on a daily basis with dev and ops, an 11% increase from last year (and a massive cultural shift from groups not always known to get along).
Almost 50% of ops pros say they’re fully responsible for security in their organizations, up 20% from last year.
And when we asked developers about the most difficult parts of their jobs, thousands pointed to security and security-related concerns. Three developers summed it up:
“Cyber security attacks are the biggest concerns facing us today.”
“Data security, data security, I repeat, data security.”
“Trying to build applications that are secure and stable.”
More work to do
Security clearly has a seat at the DevOps table today, but areas of friction remain.
For starters, security testing requires a balance that’s difficult to achieve. Static application security testing (SAST), dynamic application security testing (DAST), and container and dependency scans are increasing, which is good news, but the percentage of devs able to easily access those results in their workflows remains stubbornly low (30% or less).
And sec and dev may never see eye to eye on finding and fixing bugs. For the third year in a row, sec pros said devs don’t find enough bugs early enough in the process, meaning they are stuck finding and fixing them much later (when it’s more difficult). And, as we’ve heard repeatedly over the last years, security’s focus and development’s focus aren’t usually the same:
57% of sec pros said finding bugs was a developer performance metric in their organizations, but 56% said it was difficult to get developers to actually prioritize bug remediation.
Facing the future
While security pros feel good about their organizations’ security postures (71% rated them as “good” or “very good”), they’re not feeling particularly optimistic about the future. A full 43% said they feel “somewhat” or “very” unprepared for the future; to look at it from another way, the percentage of sec pros who are confident, 56%, is 20 points lower than either their ops or dev colleagues.
What can help power security professionals into the future? Surprisingly, the top answer (54%) is AI, which was a 33% increase from last year. Since 2020, sec respondents have said soft skills like communication and collaboration were most important but this year soft skills came in second place.
Security is just one of many themes – automation, AI, information overload, real world challenges, compliance, and faster releases, to name just a few – our survey uncovered. So download and share the entire report, “The 2022 DevSecOps Survey: Thriving in an Insecure World”, to dig deeper into them.