Software development platform vendor GitLab today revealed the results of its latest global DevSecOps report, titled "Security Without Sacrifices," identifying a number of key trends.
One of the key trends identified in the report, which benefits from the input of 5,010 global IT leaders surveyed last month, is that security remains a key priority for organizations. However, that shouldn't come as a surprise to anyone. What might come as a surprise, though, is that 71% of security vulnerabilities are now being discovered by developers, up from 53% in 2022.
The reports also found that there is an increasing interest and usage of AI/ML technologies in support of DevSecOps efforts, with 62% of developers using AI/ML to check code, up from 51% in 2022. Plus, there is a strong desire across users to consolidate toolchains, in a bid to improve developer productivity.
While there are multiple positive trends, there are a few surprises too. Of security professionals who responded to the DevSecOps report, 43% shared that they felt "somewhat" or "very" unprepared for the future.
"This concern is surprising given other, more encouraging findings, including that the same security professionals report a 57% increase in shifting left," Mark Loveless, staff security researcher at GitLab, told ITPro Today. "This suggests that security professionals feel they are still in catch-up mode, particularly with advances in other areas such as AI/ML."
How DevSecOps Users Are Benefiting from AI/ML
There are a few reasons why more security vulnerabilities are being captured by developers.
Loveless said that developers are continuing to shift toward more collaborative DevSecOps frameworks and AI/ML-powered code testing is on the rise. In his view, as developers embrace their role in security and technology continues to pave the way for more collaboration, security is becoming a natural and integrated piece of software development.
"Instead of simply shifting left, DevSecOps strategies work best when security is shifted everywhere within the framework so the entire process from development to delivery covers all vital security elements," Loveless said.
The report also clearly identified that artificial intelligence and machine learning are now critical components of DevSecOps success. The majority of developers are using AI/ML, most commonly for testing efforts – 65% of respondents said they are or will be using AI/ML in the next three years, the report found.
"Interestingly, we saw that developers who use a DevSecOps platform were more likely to have implemented automation and AI/ML for testing than those who do not," Loveless said.
Challenges Remain for DevSecOps
There are a few challenges to improving DevSecOps.
Loveless pointed out that GitLab has seen an increase in DevSecOps pros claiming security as their responsibility — 53% of respondents, up from 44% in 2022. However, there continues to be a disconnect between developer, security, and operations teams on where the bulk of ownership for application security falls. The report found that developers are more likely than security teams or operations teams to say security teams are primarily responsible, while security respondents are more likely than dev or ops teams to say developers are primarily responsible.
"Security and development teams need to align on ownership to streamline collaboration and ensure secure workflows and optimal DevSecOps practices," he said.
Another challenge is tool fragmentation. Toolchain management is an ongoing barrier to DevSecOps productivity, with 40% of developers reporting that they spend up to half of their time maintaining and integrating toolchains. As a result, teams are left with less time dedicated to critical tasks such as compliance and regulatory adherence. Fifty-seven percent of security respondents said they use six or more tools, compared with 48% of devs and 50% of ops.
"Dev and sec pros must prioritize consolidating their toolchains to take back their time and integrate tools to ensure consistent monitoring and actionable insights," Loveless said.
About the author
Sean Michael Kerner is an IT consultant, technology enthusiast and tinkerer. He consults to industry and media organizations on technology issues.
