More than three-quarters of DevOps professionals do not practice “DevSecOps”, or are still in the process of implementation.
According to the DevOps Pulse 2018 survey by Logz.io, its survey of 1044 DevOps engineers, sys admins, developers and other IT professionals found that 54% said that their department handles security incidents in their organization, while only 41% have dedicated security operations personnel.
Because of that, 76% of those surveyed either do not practice DevSecOps or are still implementing it, while 71% do not feel their team have adequate knowledge of DevSecOps best practices and 56% do not feel there are adequate tools available to help with DevSecOps.
Eoin Keary, founder of edgescan, told Infosecurity that he felt that 54% handling security incidents was a good thing, as this shows that cybersecurity is integrating with DevOps professionals earlier and continuously.
“Handling incidents is also positive assuming the know-how is there: most incident response teams have staff from different departments within a company,” he said. “At edgescan, we see a large uptick for SaaS and managed services given the ability for a client to leverage dedicated experts and knowledge in particular fields they may not have internally in the organization.”
Keary also acknowledged that DevSecOps is still an emerging movement, and the cultural change required to implement a DevSecOps methodology can take time to foster.
Kai Roer, CEO of CLTRe, told Infosecurity that he felt that the 76% figure was natural, as even if half of all organizations did manage incidents within the DevOps team, “this transformation of culture is work in progress.”
He said: “DevSecOps is a huge cultural shift, merging different teams, with different focuses, interests and competences, into one team. This shift has seen some very interesting successes, for example by speeding up patch deployments, as well as improving security by making changes available much faster.
“DevOps has matured a lot over the past few years, and adding security to form DevSecOps has been idealized for some time now. Just as merging operations and development made a huge cultural shift to the teams and to their organizations, adding security is likely to do the same. Suddenly, security goes from being a specialist team who sits on the side-lines, into a function that is tightly incorporated within development and operations.”
Roer said that this change is “bound to improve the security competence in those organizations”, and thereby directly influencing the security culture in those organizations.