‘Elite’ DevOps Practices Outperforming Less Mature Teams in DevOps
Automation and Open Source Controls, According to 2019 DevSecOps
Community Survey

SAN JOSE, Calif.–(BUSINESS WIRE)–CloudBees,
the enterprise DevOps leader powering the continuous economy, along with
survey lead Sonatype, announced the results of the 6th annual DevSecOps
Community Survey today. While DevOps practices are maturing rapidly,
corporate application security initiatives are only gradually gaining
traction, according to a survey released today by Sonatype, CloudBees,
Carnegie Mellon’s Software Engineering Institute and several other
partners. The 2019 DevSecOps Community Survey of 5,558 IT professionals
also found that organizations with elite DevSecOps programs are
outperforming others in terms of DevOps automation, open source
controls, container controls, training and cybersecurity preparedness.
The 6th annual DevSecOps Community Survey was led by Sonatype with
CloudBees as a major sponsor.

The survey showed that 28 percent of all organizations have adopted
“very mature” DevOps practices, company-wide or in pockets, up slightly
from 25 percent in 2018. Another 49 percent reported their DevOps
practices as “improving.” Overall, 95 percent of respondents say their
organizations are using advanced development processes – agile, DevOps
and/or continuous integration/continuous delivery (CI/CD) – with the
remainder clinging to legacy waterfall development methods. Deployments
are also getting more frequent – with 9 percent saying they deploy with
every change and 65 percent deploying at least once per week.

“The clear increase in adoption of modern development practices of
Agile, CD and DevOps signifies important progress in the software
delivery space,” said Brian Dawson, DevOps evangelist, CloudBees. “These
practices are the foundation for the wider adoption of DevSecOps
practices and a security-first mindset. Software is intertwined in the
very fabric of our business and personal lives, making it critical that
we continuously secure software by automating key security practices
into the development and delivery pipeline. There’s still a lot of work
to do to get to DevSecOps but, as an industry, we are making progress.”

The survey showed mixed levels of progress on the security front.
Overall, only 54 percent of respondents said their organizations have
cybersecurity incident response plans in place – the same as 2018. More
than a quarter (26 percent) have no protections for confidential
information like passwords and API keys. And security tools are still
not well integrated with the DevOps pipeline: 11 percent are fully
integrated and automated, while 75 percent are not or are only partially
integrated.

Breaches are still happening, but they’re becoming less frequent.
Seventeen percent of respondents said their companies experienced a
breach definitely or possibly tied to a web application vulnerability in
the past year – down from one third a year ago.

Developers themselves seem to want to get more involved in the
application security (appsec) process. Based on the survey, 28 percent
were fully focused on appsec, and another 46 percent want to be but are
too busy. To get up to speed they’d need training – but 17 percent of
survey takers said their companies have no appsec training available.

Meanwhile, organizations that have developed “elite” practices are
outperforming peers in several areas. For example, in DevOps automation,
elite DevSecOps practices are six times more likely to have fully
integrated and automated security practices across the DevOps pipeline
than their less mature peers. In open source controls, 62 percent with
elite programs have an open source governance policy in place, and
follow it, compared to just a quarter of those without DevOps practices.
For container controls, 51 percent of respondents with elite practices
say they leverage security products to identify vulnerabilities in
containers, while only 16 percent of those without said the same thing.

Additional Resources

• Read
  the full survey results
• Attend
  the webinar, Exploring the 2019 DevSecOps Survey Results

• Read
  the Sonatype blog

About CloudBees
CloudBees is powering the continuous economy
by building the world’s first end-to-end system for automating software
delivery, the CloudBees Suite. The CloudBees Suite builds on emerging
DevOps practices and continuous integration (CI) and continuous delivery
(CD) automation adding a layer of governance, visibility and insights
necessary to achieve optimum efficiency and control new risks. Since
every company in the world is now a software company, this new automated
software delivery system is becoming the most mission-critical business
system in the modern enterprise. As today’s clear leader in CI/CD,
CloudBees is uniquely positioned to define and lead this new category.
CloudBees puts companies on the fastest path to transforming great ideas
into great software and returning value to the business more quickly.

Backed by Matrix Partners, Lightspeed Venture Partners, Verizon
Ventures, Delta-v Capital, Golub Capital and Unusual Ventures, CloudBees
was founded in 2010 by former JBoss CTO Sacha Labourey and an elite team
of continuous integration, continuous delivery and DevOps professionals.
Follow CloudBees on Twitter, Facebook and LinkedIn.

About the Survey
The 2019 DevSecOps Community Survey
provides visibility into the attitudes of software professionals toward
DevOps best practices and the changing role of application security. The
results reported here came in response to 41 questions asked by Sonatype
and our DevOps community advocates including CloudBees, Signal Sciences,
Twistlock, and Carnegie Mellon’s Software Engineering Institute. The
survey’s margin of error is ±1.226 percentage points for 5,558 IT
professionals at the 95% confidence level.

Contacts

Sydney Holmquist
PAN Communications
+1.407.734.7327
[email protected]