DevSecOps Insights 2020

86% of security and tech roles agree that security is a shared responsibility

Having a sense of shared responsibility across the organization contributes to an elevated security- first mindset among employees who will seek out to question and challenge solutions regarding the security impact of the products they build.

Deeply integrated security increases the sense of shared responsibility

DevSecOps Insights 2020 study

Notably, the report demonstrates that security is a shared responsibility in the place of work, for 86% of security professionals.

How do you increase the sense of shared responsibility for security in an organization?

Puppet’s State of DevOps report analyzes how security adoption varies between different organizations depending on their DevOps practices and provides important insights on security posture of businesses.

The more highly evolved organizations are much more more likely to have integrated security across the software delivery lifecycle. The Puppet report finds that 22% of the organizations with the highest level of DevOps maturity (Level 5), are also at the highest level of security integration.

We found that the more security is integrated into the software development lifecycle, the more delivery teams see security as a shared responsibility. In fact, seeing security as a shared responsibility improved by 31 percentage points between Level 1 and Level 5.

– Puppet 2019 State of Devops

DevOps maturity directly impacts strong security adoption

The report also points out that 16% of organizations where at Level 1, the lowest level of security integration. Puppet’s findings align well with the Snyk State of Open Source Security report from February 2019. The Snyk report highlighted that a significant 37 percent of the users don’t do any sort of automated security testing during a CI phase.

To put this in further context, the Puppet report highlights that the majority (75%) of the organizations at Level 1 of DevOps maturity, get involved with security activities only on an ad-hoc basis, for example, when security issues are escalated from production. This demonstrates that businesses are still at a very early stage of DevOps evolution and maturity. These organizations act reactively to security threats instead of proactively addressing security concerns, not allowing potential hacks and breaches to pose any risk.

Continue reading our DevSecOps Insights 2020 study:

Download PDF DevSecOps Insights 2020