Commentary: Developers are finally taking on more of an operational role, but they still aren’t getting involved enough in security.
We’ve been talking about DevOps for eons, but it’s finally becoming real. That is, if the nearly 3,700 people who completed GitLab‘s recent 2020 DevSecOps survey are to be believed. Of those respondents, 41% were developers, many of which say they define and/or create the infrastructure their apps run on. Success!
Well…maybe. It’s great that developers are taking on more operations responsibilities, but one big miss may be in the area of security.
Lots of DevOps talk
But first, the good news: Developers are finally having their DevOps day. Of the developers surveyed, 35% say they define and/or create the infrastructure their app runs on. A smaller but significant 14% go a step further and monitor and respond to that infrastructure. Furthermore, approximately 18% instrument their code for production monitoring, while 12% serve as an escalation point when there are incidents.
DevOps FTW, right?
SEE: How to build a successful career as a DevOps engineer (free PDF) (TechRepublic)
Well, sort of. According to the developers, just 35% of them are deep into DevOps. Meanwhile, if you ask the question of a broader population…73% say they’ve been doing DevOps for at least a year (35% have had DevOps in place for one to three years, while 20% say they’ve been doing DevOps for more than five years). That’s a lot of DevOps being done without developers.
Let’s chalk it up to aspirational exuberance. What is less easily shunted aside, however, is how this rising developer involvement in operations translates to security.
Who’s in charge?
On the positive side, over 25% of developer respondents to the survey said that they’re wholly responsible for the security within their organizations. (Ops professionals, by contrast, say they’re responsible just 21% of the time.) This should be a step in the right direction, as it makes developers take more care as they write the code, rather than making security an afterthought. Indeed, 65% of security professionals say their organizations are making security a key part of the development process.
Despite this “left-ward” shift, security teams also say developers are missing too many bugs (75% of bugs) at the earliest stage of development and are slow to fix them. This could be because over 60% of developers don’t run SAST scans, and 73% don’t conduct DAST scans. Nor do most run container scans (only 44% do), and close to half run compliance scans. (Roughly 57% do conduct dependency scans, which is nice.) Not surprisingly, then, more than 42% of security professionals say testing happens too late in the software development life cycle, while 36% argue it’s hard to understand, process, and fix bugs once they’re discovered.
Now compound all this with the reality that every organization is actively using open source software but relatively few are contributing cash or code to the communities upon which they depend, and we have DevOps promising to get better while DevSecOps hardly improves. As Tidelift CEO Donald Fischer wrote recently, “Today’s IT leaders don’t always know what kind of ‘ingredients’ are being used in their applications.” Whether by subscribing to Tidelift to better care for the open source supply chain or by better integrating security and developer professionals within an organization, we have a lot of work to do before we celebrate DevOps success.
Disclosure: I work for AWS, but nothing herein relates to my work there.