The survey also shows 60% of developers are now releasing code twice as fast with these technology adoptions, though roadblocks remain to be navigated before achieving true DevSecOps.
GitLab provides a single application for the DevOps lifecycle and has been tracking how roles across software development teams have changed as DevOps teams mature.
Its fifth annual survey was conducted across 4,294 software professionals from January to early March 2021. The margin of error is 1%, based on 27 million software professionals and a 95% confidence level.
“This year’s Global DevSecOps Survey shows that 2020 was a catalyst for DevOps maturation,” said Eric Johnson, CTO at GitLab. “Teams worldwide worked to streamline development cycles and deliver faster release time than ever before, all while adjusting to remote work and shifting priorities to meet the high demands of last year. We believe we will see improvements in testing as more teams adopt tools to automate the parts of DevSecOps that have continuously caused cycles to slow down.”
Perhaps unsurprisingly to any development team, the report found software testing and code review continue to be sticking points. However, the challenges are handled in widely divergent ways. 75% of respondents report they use or plan to use ML/AI for testing and code review, increasing from 41% in 2020.
Similarly, 55% of operations teams report their lifecycles are either completely or mostly automated, up from 8% in 2020.
The time savings gained by automation efficiencies allows DevOps teams to address other priorities, with 56% of operations professionals now report their first priority is managing cloud services and they are spending more time on compliance than they did in 2020.
84% of developers state they are releasing code faster in 2021 than ever before. This is credited to tools like source code management and continuous integration and continuous deployment (CI/CD) pipelines. 12% of respondents said adding a DevOps platform has sped up the process and 57% of respondents said code is released twice as fast. 19% said code is released at a tenfold increase.
Despite the accelerated release cycle, over 42% of respondents felt security testing is happening too late in the process. 37% said tracking the status of bug fixes is challenging, and 33% found it difficult to prioritise remediations. These results are in line with the 2020 survey results and indicate a reactive approach to security in the development process, and that little progress is being made in this area.
The survey also revealed developer roles taking on more responsibility for what were traditionally operations- and security-related tasks. Over 70% of security professionals reported their teams have moved security considerations earlier into the development. 53% of developers reported running static application security testing scans, and 44% reported running dynamic application security testing.
Respondents indicated an improvement in their view of the company's security posture, but research indicates organisations still struggle with determining who is actually in charge of security. Almost 31% reported security teams were fully responsible, while 28% said everyone is responsible. These results are unchanged from last year and demonstrate clarity is required.
“While the industry has continued integrating security into development, and organisations are beginning to improve security overall, our research shows that a more clear delineation of responsibilities and adoption of new tools is required to completely shift security left,” said Johnathan Hunt, vice president of security at GitLab. “In the future, we hope to see security teams find more ways to lay out clear expectations for the other members of their organisation, and continue to adopt innovative technologies for scanning and code reviews to improve speed and quality of development cycles.”
Overall, the GitLab research proves DevSecOps practices have gained great strides, but more work is to be done when it comes to organising and coordinating responsibility between developer, security, and operations teams.