A new DevSecOps survey of enterprises says that only 28 percent of CISOs are confident that production applications are fully tested – with the biggest barrier to DevSecOps being that security teams do not trust developers, identified by 55 percent of organizations as the top issue.
Trust on the developer side is little better, with 49 percent of enterprises agreeing that developers perceive security teams as a blocker to innovation. In the UK, it is 55 percent, and in the US, 62 percent.
Observability vendor Dynatrace commissioned a survey of 1,300 DevOps and security professionals in large enterprises (defined as more than 1,000 employees), weighted towards Europe which provided over 600 responses. The US contributed 200 responses and others came from Latin America, the Middle East and Asia Pacific.
The good news from the survey is that enterprises are succeeding when it comes to frequent deployments, one of the cornerstones of DevOps. 78 percent deploy updates every 12 hours or fewer, and 20 percent every minute. This is achieved through automation, though it comes at a high cost, with the average spend on automation across development, security and operations being $9.1 million, a figure that is expected to increase a further 35 percent by 2024.
CIOs and CISOs are not, in general, confident that these deployments are fully secure. Faced with high demand for technical innovation, 55 percent said they are making trade-offs between quality, security and user experience, and under a third of CISOs feel that applications are fully tested for vulnerabilities before going live.
One hot topic is the role of AIOps (Artificial Intelligence for IT Operations), defined by Gartner analysts as combining “big data and machine learning to automate IT operations processes, including event correlation, anomaly detection and causality determination.”
90 percent of respondents believe that increased use of AIOps will be key to improving security; yet 70 percent of CIOs also stated that they do not trust the accuracy of AI decisions, and that needs to improve before they can increase the use of AI-driven automation.
The human factors remain more important though. 94 percent agree that “extending a DevSecOps culture to more teams and applications” is the key to better software quality without loss of velocity. That cannot happen unless those silos between DevOps and security teams are broken down.