bas121 - Fotolia
More organisations in Australia and New Zealand (ANZ) are moving to adopt agile DevSecOps practices, with 39% already undertaking this transition and a further 36% earmarking plans to do so in 2022, according to a study.
Commissioned by Lacework, the study involving 170 technology practitioners from ANZ found that more significant amounts of software development combined with greater security concerns are driving the adoption of DevSecOps.
However, DevSecOps adoptees still face challenges, with over half of respondents citing budget constraints, skills shortages and tool proliferation that stretches existing teams to capacity as factors hindering their adoption of DevSecOps.
Only 16% of respondents currently rely on a single tool for testing and scanning, while 84% report using two or more tools to perform these tasks.
“We are seeing a positive and speedy uptake of DevSecOps across the region, but it’s not possible to maintain the security status quo and also achieve innovation through organisational agility as business processes evolve,” said Graham Pearson, vice-president and managing director of ANZ at Lacework.
“To take advantage of DevSecOps processes, ANZ organisations must streamline security tools, adopt and implement continuous security, and create automated testing throughout the software development and release process. Throwing more money at the problem without taking these steps will only feed existing challenges, not solve them,” he added.
Graham Pearson, Lacework
The report also found that DevOps and engineering teams are improving build-time security and their ability to catch issues before shipping to production environments.
For example, 37% of those surveyed said their DevOps teams have a dedicated headcount in place to take responsibility for build-time security as part of the development cycle. A further 23% called out a shared responsibility model whereby build-time security was the joint responsibility of DevOps and security.
“With cloud spending tipped to continue explosive annual growth of 23.4%-28.8%, tooling needs to evolve to foster and promote agile practices like DevSecOps and maximise cloud without adding complexity,” said Pearson.
According to IDC, DevSecOps will drive at least 50% of new applications in Asia-Pacific by 2024, fuelled by shorter software development lifecycles.
“Old security processes that put security at the middle or end of the process are just too expensive and inefficient now,” said Gina Smith, research manager at IDC Asia.
“Shifting security left – all the way to the planning stage – can dramatically improve efficiency and decrease cost. The bottom line is that it jumpstarts the output of quality code, which is what it is all about,” she added.
Smith said as more enterprises rely on open source and cloud technologies, as well as application containerisation, they will face a “complicated set of challenges” which a mature DevSecOps policy will help to address.
“Building security planning, testing and monitoring into every phase of the DevOps pipeline is about bridging the age-old division – and enmity – among developers, IT and security,” she added.
Read more about DevSecOps
- Attackers are knocking at your door. Don’t waste time with repetitive, automatable security tasks. Here’s how DevSecOps enables code analysis, security testing and more.
- The CNCF, defence contractors and IT suppliers join forces with the Department of Defence to establish NIST security standards and best practices for DevSecOps.
- To help transition to a DevSecOps model to protect enterprises, security teams need to identify key stakeholders, provide examples of specific company security events and work toward creating crossover teams.
- To address security early in the application development process, DevSecOps requires a litany of skills and technology literacy. Learn what it takes to be a DevSecOps engineer.