rangizzz - stock.adobe.com

DevSecOps: Software developers lack sufficient security focus

GitLab survey shows developers want to produce high-quality code, but ‘shifting’ security left is hard to achieve

A global survey of 5,001 software professionals from GitLab has found that developers believe efficiency, higher-quality code and developer productivity are key drivers for DevOps adoption.

GitLab’s sixth annual Global DevSecOps survey found that the developers polled continue to prioritise security and compliance, investment in toolchain consolidation and the ongoing impacts of rapid DevOps adoption.

After two years of growth in technological adoption, almost three-quarters of the developers surveyed say they have adopted – or plan to adopt within the year – a DevOps platform.

Security and the complexity of DevOps toolchains were among the main concerns among respondents. 

Looking at toolchain consolidation, GitLab reported that 69% of those polled want to consolidate their toolchains because of challenges with monitoring, development delays, and negative impact on developer experience.

The survey found that while 60% of the developers surveyed are releasing code faster than before, nearly 40% say they are spending between a quarter and half of their time on maintaining or integrating complex toolchains – more than double the percentage from 2021.

As regards security, the 2022 survey found that this is the highest-priority investment area for organisations. It reported that more than half of security team members say their organisations have either shifted security left, back to developers, or plan to do so this year.

However, despite an appetite to shift security left, GitLab found many companies are still nascent in their approach and results. Just 10% of those polled reported receiving additional budget for security. 

Read more about DevSecOps

  • Threat modelling is becoming ever more integrated into software architecture design. Here, Stephen de Vries of IriusRisk looks at the evolution of the process.
  • SAST, DAST and SCA DevSecOps tools can automate code security testing. Discover what each testing method does, and review some open source options to choose from.

GitLab said the survey shows a misalignment between security and development teams. More than half of the survey respondents said security is a performance metric for developers within their organisations, but 50% of security professionals reported that developers are failing to identify security issues – to the tune of 75% of vulnerabilities.

To align performance metrics with reality, GitLab recommended that developers are incentivised to practise security protocols and be provided with full visibility into the toolchain and potential risks. 

“Rapid deployment and speed to market are some of the biggest differentiators in today’s business landscape,” said Johnathan Hunt, vice-president of security at GitLab. “This often comes at the cost of security – a major concern across technology, business and government leaders – but it doesn’t have to.

“Streamlined toolchains and standardised, transparent processes help organisations keep security and compliance at the core of the software development lifecycle, rather than an afterthought.”

When security collaboration is achieved, organisations can produce great results, said GitLab. The survey showed that a commitment to security is a driving force for many decision-makers when choosing a DevOps platform or other tools.

Read more on Application security and coding requirements