New 2023 SANS DevSecOps Survey explores DevSecOps challenges and trends.

In today's rapidly evolving digital landscape, the intersection of development, security, and operations has become paramount. DevSecOps, a methodology that integrates security practices into the DevOps workflow, has emerged as a critical approach to ensure the security and efficiency of software development processes. The new SANS survey report offers an informative glimpse into the state of DevSecOps, and presents a comprehensive analysis of survey demographics, key findings, and critical focus areas.

Survey demographics

The foundation of the report's significance lies in its survey demographics. With 363 respondents spanning a diverse array of roles, industries, and organizational sizes, the report provides a panoramic view of the DevSecOps landscape. It notes a shift toward security, with 34% of respondents directly engaged in security functions. The prominence of security administrators and analysts (10.2%) underscores how important security is to the DevSecOps paradigm.

A noteworthy revelation is the substantial representation of development roles. A full 21% of respondents hold roles as application developers, cloud architects, software engineers, and DevOps engineers. As DevSecOps shifts security left into development, the survey highlights the need for integration between these domains.

Perhaps the most compelling insight is that 13% of respondents hold business management roles, signaling that DevSecOps now has mainstream recognition as not merely a technical concern but a crucial business strategy. This shift demonstrates how DevSecOps is becoming a holistic organizational imperative.

Key report takeaways

High-level findings

Software Integrity Group (SIG) principal consultant & DevSecOps practice lead Satish Swargam provided his thoughts on this year’s high-level takeaways. Swargam summarized:

When not implemented correctly, a DevSecOps program often does more harm than good and can ultimately cause an organization’s application security program to fail. To combat this, we are seeing an increasing number of organizations forming strategic partnerships with external vendors to not only help transform their DevSecOps practice into one that is best suited for their existing application security program, but to also guide them on how to expand and better enable their capabilities internally.

A successful DevSecOps practice, on the other hand, will first focus on rolling out continuous automated security testing as well as fostering a harmonious culture between DevOps, security and leadership teams. It’s no surprise to see that these continue to be the leading factors of a well-rounded and mature DevSecOps program. When implemented correctly, DevSecOps empowers organizations to build a secure agile software development lifecycle and improve its overall security posture.

AST is shifting further left - before the first line of code

This year’s SANS found that respondents deemed the ‘most useful’ activity (35.9%) in their security efforts this year to be ‘upfront’ risk assessments that occur before development starts — up from the 9^th position in 2022.

Ksenia Peguero, PhD, a Senior Research Engineering Manager in the Synopsys Software Integrity Group commented:

Threat modeling is usually performed either by a third-party or by an internal security team. So, an increase in application security testing performed by external consultants could suggest that organizations relied on external consultants to perform threat modeling and upfront risk assessments, as those practices cannot be fully executed by application security testing tools or platforms. Security experts may use some tools to help generate threat models, but there always must be a human in the loop.

Organizations are seeking 3rd party support for AST

DevSecOps teams are increasingly looking to third-parties to supplement their AST program and lighten the testing load on internal teams. Survey responses also indicate that organizations typically have two or more internal teams doing some manner of security testing. Nearly all respondents have some external source for security findings. When asked “Who is responsible for conducting security testing in your organization?”, 52% responded with ‘"internal security team'" (down 16% from 2022), and 44.9% responded with ‘external consultants" (up 11% from 2022).

Ben Hutchinson, an Associate Principal Consultant with the Synopsys Software Integrity Group gave his analysis:

Refreshingly, in some areas we're starting to see a more balanced outlook integrating a range of application security testing (AST) approaches to optimize protection for the important applications that run our society. It's a notable improvement and one we should celebrate. But with a rapidly evolving threat landscape, and at risk software supply chain it's essential to keep our foot on the gas.

Organizations are using AI, cautiously 

A new trend in this year’s report is the number of respondents exploring artificial intelligence (AI) and data science for enhancing DevSecOps. This year shows a significant increase (+16%) in the use of AI or data science to improve DevSecOps through investigation and experimentation—up from 33% in 2022 to 49% in 2023. This trend mirrors the broader industry trajectory, as organizations increasingly leverage AI to automate and augment their security measures.

Despite the mainstream buzz to implement AI in every way possible, across industry verticals, security teams are still approaching AI with caution. Nearly one third of respondents (approximately 30%) reported not using AI or data science capabilities whatsoever, which may reflect organizations’ concerns surrounding data privacy and ownership of intellectual property.

Jamie Boote, an Associate Principal Consultant of the Synopsys Software Integrity Group provided context:

AI and ML-driven technologies are now to the point where they're ready for adoption by large enterprises. Early adopter companies are interested in seeing how they can take advantage of this powerful new software without suffering the pain that bleeding edge companies felt when sharing secrets or using AI-generated IP. These companies are looking to adopt AI and ML engines from providers like Microsoft and OpenAI, and they are also looking for guard rails to keep them safe. They are also seeking to leverage enterprise agreement—like those built by cloud hosts to ensure that client secrets are kept safe from re-use—and they're also looking to see that those secrets are kept safe from potential cybersecurity breaches, too.

Other companies are cognizant of the IP concerns associated with using the output of these AI tools and are focused on limiting the size of each individual contribution from AI tooling to sizes that are small enough to be considered generic and safe through the lens of IP law.

Supply chain remains a priority

This year saw a notable increase in the use of Software Composition Analysis (SCA) testing, with 75.9% of respondents saying that they found SCA tools ‘useful’. This rise in SCA usage signals that organizations are now taking supply chain security seriously (if they had not already done so).

Mike McGuire, a senior software solutions manager at Synopsys, gave his analysis of the findings:

It comes as no surprise that the top key performance indicator used to measure the success of DevSecOps activities are the number of open security vulnerabilities. Considering that the majority of modern application make-up is open source code, it’s acceptable to assume that the majority of these vulnerabilities are going to be associated with open source projects. This is precisely why software composition analysis (SCA), according to the SANS respondents, received a 75.9% “usefulness” score, second only to SAST. 

However, it’s not just SCA’s ability to help teams identify and manage open source dependencies and risk that makes it so enticing to those shopping around with DevSecOps motivations; it’s the manner in which it fits into the application lifecycle and enables multiple teams that makes it a true DevSecOps tool. Looking at the findings of the SANS report, we get a solid picture of how DevSecOps teams like to integrate security tools, when they like to run them, and who is responsible for the testing. Most respondents have their internal security teams integrate tools within build automation processes to perform security testing during code commit/pull request. 

SCA, when used in concert with SAST, is a crucial aspect of preventing application security issues from making their way into production. SCA tools also offer continuous monitoring so that open security vulnerabilities don’t plague deployed applications, without teams even knowing they’re existent to begin with. Combine that with SCA’s toolchain integrations, and it’s clear why DevSecOps teams are increasing their SCA adoption, as found by this year’s SANS report.”

How Synopsys supports DevSecOps efforts

Synopsys offers an industry-leading portfolio of application security testing (AST) solutions to empower your organization's consolidation efforts. Synopsys offers the "big three" testing protocols—static application security testing (SAST), dynamic application security testing (DAST), and source code analysis (SCA)—and a host of other tests as well, including interactive application security testing (IAST), fuzzing, and mobile penetration software. Synopsys AST solutions are open platform and include over 135 integrations, so you can make more efficient use of the tools you already own. Synopsys offers completely flexible security testing solutions that deliver results for your on-premises, software as a service (SaaS), or headless API environment. Regardless of whether you're using Synopsys solutions or third-party, open source, or manual testing solutions, they all integrate into Software Risk Manager, our application security posture management (ASPM) solution. At any stage in the SDLC, Synopsys has strategic solutions at the best value to map your program to consolidation success.

 Download the SANS Survey