DevOps is getting code released faster than ever. But security is lagging behind

DevOps is speeding up software release cycles like never before. But according to GitLab’s latest survey, finger-pointing over who should be in charge of security remains an issue.

GitLab’s 2021 DevSecOps report surveyed 4,300 software professionals

” data-credit=”Getty Images/iStockphoto”>Two Professional IT Programers Discussing Blockchain Data Network Architecture Design and Development Shown on Desktop Computer Display. Working Data Center Technical Department with Server Racks

GitLab’s 2021 DevSecOps report surveyed 4,300 software professionals

Getty Images/iStockphoto

DevSecOps tools are enabling developers to release new code faster than ever – yet testing, code review and disagreements over who is in charge of security remain sticking points within organizational teams, according to GitLab’s latest industry survey.

GitLab’s fifth annual DevSecOps survey quizzed 4,300 software professionals on their use of DevOps tools and to uncover how software teams had changed as the industry matured.

Must-read developer content

It found that the forced adoption of remote work in 2020 had been a “catalyst” for the uptake of DevOps technologies, with teams increasingly integrating automation into their software development cycles to speed up software releases and give precious time back to developers.

Just over 84% of developers reported they were releasing code faster than before, with 57% reporting that code was being released twice as fast – a significant jump from last year’s 35%.

Nearly one in five (19%) said code was going out the door 10x faster. When quizzed on what had changed in their processes to speed things up, 21% of survey respondents said they’ve added source code management to their DevOps practices (up from 15% last year), while almost 18% added continuous integration (CI) and 13% added continuous delivery (CD). Nearly 12% said adding a DevOps platform had sped up the process, while just over 10% had started using automated testing.

Almost 25% of teams reported using full test automation – more than double 2020’s figure – while  28% of respondents felt they were “at least half-way” to full automation. Around 34% of survey takers said developers test some of their own code (up from 31% last year) and 32% said automated testing happened as code was written, up from 25% in 2020.

When it came to deployment frequency, almost 59% of survey respondents said their teams deployed code multiple times a day, once a day, or once every few days. This was almost identical to the response to GitLab’s 2020 survey. All told, 28% of developers deployed ‘continuously’ – defined as multiple times per day – while 15% deployed once a week, 10% once a month, and under seven percent once every few months.

SEE: The future of work: Tools and strategies for the digital workplace (free PDF) (TechRepublic)

Yet even with code being released faster than ever before, security testing and code review remain sticking points for DevOps professionals. Just over 42% of developers said testing was happening too late in the development cycle, with roughly the same number of respondents finding it a challenge to unpack, process and fix vulnerabilities.

Tracking bug fixes was cited as a development headache by more than a third (37%) of respondents, while 33% found remediation prioritization – determining which bugs to address first – difficult.

The other bottlenecks include planning, code development, and code review, again reflecting GitLab’s 2019 and 2020 surveys.

Finding someone to fix problems when they arise was also highlighted as an issue amongst software teams – and alluded to what GitLab called “the sometimes contentious relationship between security teams and developers.”

As developer roles increasingly “shift left” to take on more security and operations-related tasks (hence the ‘Sec’ in DevSecOps), teams are running into arguments over who should be in charge of security.

Nearly a third (31%) of respondents to GitLab’s survey said security teams were completely responsible for security, while nearly 28% felt it was a shared responsibility.

Finger-pointing also remains “in full force,” but at lower rates than seen in previous years, said GitLab. Last year, 93% of security pros said developers only caught 25% or less of bugs in existing code – leaving the remaining three-quarters to be mopped up by security teams later.

This year, only 45% of security team professionals said the same thing, while 37% said developers were managing to catch up to 50% of all bugs.

Further, more than 8 in 10 (83%) of security pros felt that the ability the catch bugs should be a metric upon which a developer’s performance is measured. Nearly the same percentage (81%) complained it was difficult to get developers to make bug fixes a priority, with 77% of security pros agreed at some level that bugs are mostly found by them after code is merged in a test environment.

SEE: The best programming languages to learn–and the worst (TechRepublic Premium)

Johnathan Hunt, vice president of security at GitLab, said the results indicated that more work was needed to organize and coordinate responsibility between security, developer and operations teams. 

“While the industry has continued integrating security into development, and organizations are beginning to improve security overall, our research shows that a more clear delineation of responsibilities and adoption of new tools is required to completely shift security left,” said Hunt.

“In the future, we hope to see security teams find more ways to lay out clear expectations for the other members of their organization, and continue to adopt innovative technologies for scanning and code reviews to improve speed and quality of development cycles.”

GitLabs’ 2021 survey also assessed the uptake of DevOps technologies amid the shift to remote work, and how this had impacted the skills and tools they deemed important for the future.

Thirty percent of developers said understanding of AI and machine learning would be crucial to their future careers, compared to 22% in 2020. Soft skills like communication and collaboration were deemed important and were cited by 18% of respondents, along with “cutting-edge” programming languages. This was followed by GitOps at 14%, and IoT/blockchain at 11%.

Respondents also said they wanted to know more about cloud/cloud native, cross-platform development, low-code, data science, Python, and cryptography.

SEE: Analytics: Turning big data science into business strategy (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)

“This year’s Global DevSecOps Survey shows that 2020 was a catalyst for DevOps maturation,” said Eric Johnson, CTO at GitLab.

“Teams worldwide worked to streamline development cycles and deliver faster release time than ever before, all while adjusting to remote work and shifting priorities to meet the high demands of last year. We believe we will see improvements in testing as more teams adopt tools to automate the parts of DevSecOps that have continuously caused cycles to slow down.”

Also see