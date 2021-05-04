Continuing a trend the 2020 DevSecOps report indicated, developer roles continue to shift left, taking on more responsibility for what were traditionally operations- and security-related tasks. In 2021, more than 70% of security professionals report their teams have moved security considerations earlier into the development, or “shifted left” — an increase from last year’s 65%. Research indicates this broad increase in shifting left is due in part to an increase in developers conducting static and dynamic application security testing. Fifty-three percent of developers reported running static application security testing (SAST) scans (a 13% increase from last year) and 44% of developers reported running dynamic application security testing (DAST) scans (a 17% increase from last year).

Overall, this indicates a major step towards putting the “Sec” in DevSecOps — and the industry is seeing the benefits too. In fact, the report shows how far DevSecOps has come in the last year, with an unprecedented 72% of security professionals reporting their organizations’ security efforts were either “good” or “strong.” That’s a significant improvement from last year, when only 59% said the same thing. The largest year over year increase was in the “strong” category – last year only 19.95% of respondents considered their security posture in that light compared to nearly 33% in 2021.

While teams are showing signs of moving towards DevSecOps, research indicates organizations still struggle with determining who is in charge of security. Almost 31% reported they (security) were fully responsible for it, but almost 28% said everyone was responsible. This response is similar to last year’s, and underscores the need for clarity on this subject.

“While the industry has continued integrating security into development, and organizations are beginning to improve security overall, our research shows that a more clear delineation of responsibilities and adoption of new tools is required to completely shift security left,” said Johnathan Hunt, vice president of security at GitLab. “In the future, we hope to see security teams find more ways to lay out clear expectations for the other members of their organization, and continue to adopt innovative technologies for scanning and code reviews to improve speed and quality of development cycles.”

While greater strides toward implementing DevSecOps practices have been made this year than in years previous, there is more work to be done when it comes to organizing and coordinating responsibility between security, developer and operations teams. To access the full report, click here.