Cloud Security, DevSecOps, Application security

Fewer than one-quarter of organizations have a DevSecOps strategy

(“the JavaScript Code” by Dmitry Baranovskiy is licensed under CC BY 2.0.)
While only 22% of organizations said they had a DevSecOps strategy, an overwhelming number of organizations responding to a Mezmo study reported it had a positive impact on incident and response efforts. ("the JavaScript Code" by Dmitry Baranovskiy is licensed under CC BY 2.0.)

Mezmo on Tuesday released research that found while only 22% of organizations say they have developed a DevSecOps strategy, 62% of organizations have a plan or are evaluating use cases for it, showing significant future growth.

Better still, of those who are already leveraging DevSecOps, an overwhelming 95% report a positive impact on accelerating incident detection, and 96% on response efforts. 

DevSecOps has been a challenge because traditional security methods are too disruptive to processes, said Melinda Marks, a senior analyst at the Enterprise Strategy Group who conducted the research. “Organizations need solutions that work within developer workflows and tools along with their cloud-native tech stack. Leveraging observability data can help drive efficiency by utilizing data to provide insight for better security processes, policies, and faster incident response.”

The study also showed that 91% of organizations are using more than one tool to get the most value out of their data, which makes it difficult for multiple teams to have access to the data they need to do their jobs. Not having a “single source of truth” was reported as the greatest challenge holding teams back.

DevSecOps requires many changes across organizations to get the benefits, said Peter Chestna, CISO at Checkmarx. Chestna said most turn back or stumble before breaking through and realizing the positive impact DevSecOps can have.

“The report points to collecting and reporting the right KPIs as a key step to success,” Chestna said. “Once we have the facts, we must have a learning culture that’s empowered and measured on continuous improvement. For DevSecOps particularly, mutual accountability for application security between Sec and Dev are essential. Making problems ours to solve decreases the time-to-action and results. Cresting the challenge may not be easy, but the results from the effort are amazing."

Hank Schless, senior manager, security solutions at Lookout, added that integrating security into DevOps workflows has become an important part of the software development lifecycle for organizations that leverage CI/CD tools. Schless said because there’s a continuous cycle of integration and delivery, developers are held to high expectations for delivering updates and improvements to their products. 

“Customers and users expect to have the latest and greatest available to them, and if it’s not they’ll move on to a different SaaS product,” Schless said. “This expectation has led to the unfortunate fact that pushing new updates to meet deadlines sometimes overrides security testing. To ensure secure development processes, development teams and security teams need to collaborate and adopt a DevSecOps approach to delivering their services.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.