The GitLab 2022
Global DevSecOps Survey
Thriving in an insecure world
70%
of DevOps teams release code continuously, once a day, or every few days, up 11% from 2021.
Automated testing is growing
47% of teams report their testing is fully automated today, up from 25% last year.
New technologies and methodologies
62% of survey takers are practicing ModelOps, while 51% use AI/ML to check (not test) code.
Fully automated in 2022
in 2021
in 2020
DevOps platforms in use
Teams practice DevSecOps
CI/CD is onboard
Observability/monitoring tools are in place
AI/ML is powering code review, software test and more
Why use a DevOps platform?
Security
Cost and time savings
Improved DevOps
Easier automation
Improved monitoring
Improved observability
Better metrics
Developers
As we’ve seen over the last three years, devs are taking on more ops responsibilities, as well as more ownership of security.
35%
of devs are releasing code twice as fast, and 15% are releasing code between three and five times faster.
All told, almost 60% acknowledged code is moving into production at a much faster clip.
Why the faster releases?
We asked devs "what’s changed" and a majority said use of a DevOps platform, followed by automated testing, SCM, planning tools, and observability.
What do devs want more of?
More code reviews, automated testing, and planning.
If releases are delayed...
devs blame code development, code review, security analysis, test data management, and, of course, testing.
Roles are changing
Fully 38% of devs said they instrument the code they’ve written for production monitoring (up from 26% in 2021 and just 18% in 2020) and 38% monitor and respond to the infrastructure their apps are running on (up 25% from last year).
It’s a tough world
Developers acknowledge that Covid-19, hiring, security threats, culture changes, and complex tech learning curves added more real-world difficulties to their roles than ever before.
Less is more
Automation has lightened the dev load and eased the burden for manual testing, code review, opening tickets, and more.
Devs who spend between one-quarter and one-half of their time on toolchain maintenance/integration
Devs who devote at least half their time and as much as all of their time on toolchain integration and maintenance
We have a development capacity challenge, a recruiting challenge, and a knowledge-sharing challenge.
Security
Security pros are also seeing their roles change, particularly when it comes to getting “hands on” with dev teams to get things done.
71%
rated their organization’s security efforts as either “good” or “excellent.”
The great shift left continues
57% of sec team members said their orgs have either shifted security left or are planning to this year. One-third of teams, though, aren’t thinking about a shift left until at least two years from now.
Who owns sec?
As we’ve seen in previous surveys, this is still an area in need of clarity. 43% of sec team members admitted to full ownership of security (a 12% jump from last year), but a resounding majority (53%) said everyone was responsible, a 25% increase from 2021.
Not as optimistic
Concern about security has never been higher, so perhaps it’s not surprising 43% of sec pros feel “somewhat” or “very” unprepared for the future.
In the future...
a majority of sec pros think AI/ML skills will help their careers the most, followed by communication and collaboration (33% each).
All in a day’s work
35% are more involved in daily tasks/more hands on, an 11-point jump from last year.
run SAST scans (a dramatic jump from last year, which was less than 40%)
employ dynamic application security testing (DAST) scans (up 11 points from last year)
scan containers today (up 10% from 2021)
perform dependency scans
ensure license compliance checks
have SAST lite scanners in a web IDE
pull scan results into a web pipeline report for devs
make DAST, container and dependency scans easily available to devs
Operations
No one wears more hats on a DevOps team than an ops pro, and their roles continue to shift dramatically.
44%
of ops teams are “mostly” automated and almost one-quarter of ops teams report full automation, both big jumps from 2021.
Compliance and audits FTW
Most ops pros spend between one-quarter and half their time on audit and compliance, a 15% increase from 2021. And almost 25% of ops pros spend between half and three-quarters of their time dealing with audit and compliance.
The DevSecOps gets real
Just over 76% of ops teams agree at some level that devs are able to receive and address security issues during the development process (that’s a 10% jump from last year).
Developer enablement
~77% of ops pros said their devs are able to provision testing environments, which is an 8% increase from last year.
acknowledge the data exists but accessing/management is difficult
are "overwhelmed" by amount/scope of data
don't know what's available or org doesn't track what they need
have all data necessary and it's easy to access