DevSecOps Insights 2020

Written by:

January 28, 2020

0 mins read

We are thrilled to announce and share with you the Snyk 2020 DevSecOps Insights! In this study, we discuss the state of DevSecOps, key activities, focus areas, and takeaways.

This study is based on data presented in the Snyk 2019 State of Open Source Security report and the Puppet 2019 State of DevOps report.

The Snyk report presents the survey results of over five hundred respondents and the Puppet report presents data from 2,949 technical professionals.

Download PDF DevSecOps Insights 2020

An introduction to DevSecOps Insights 2020 study

Fast software development iterations call for baked-in security in order to keep up with the rate of building and shipping software. In a typical organization, security staff is vastly out-numbered compared to operations and developers. This significantly complicates the job of keeping up with security tests, reviews, etc, in order to mitigate the increasing application security risk.

Is security slowing down operations and developers? This is one of the major concerns and challenges for integrating security in development teams. Security teams remain accountable for the security of applications and related data, yet cannot introduce disruption to the development teams' workflows. To overcome these challenges, development and security teams need to adopt new ways of working together, develop new processes and adopt new tooling. DevOps teams do not prioritize for security in a build pipeline or security monitoring, as there are other concerns they are tasked with. So, even for empowered DevOps teams, security is still mainly an afterthought.

Join us on the live webinar event on January 30th 11AM Eastern Time:


To address security concerns while keeping up with the rapid pace of software delivery, we need to adopt processes, culture, and proper tools through automation which sustains fast development iterations. These enable development teams to integrate security tooling within their build pipelines to detect vulnerabilities early on, and fosters healthy collaboration across security and DevOps teams.

In this report we aim to explore the state of DevSecOps adoption and the challenges organizations and teams face. What we aim to gain from this research is better insight into practices and tools that accelerates DevSecOps adoption.

DevSecOps Key takeaways

Following are takeaways and challenges faced in the DevSecOps journey:

CULTURE Security is perceived as an activity that slows down the business and overall software delivery. 33% of respondents, within the highest level of security integration, still feel that security is a major constraint on the ability to deliver software quickly.

TOOLING 79% of organizations are positioned at a medium level of DevOps evolution and face challenges in scaling the tooling, culture, and practice to properly support the business.

CULTURE Key security activities, such as threat modelling and security tools integrated in the development pipeline, contribute to a sense of shared responsibility across different functions of the business. Seeing security as a shared responsibility improved by 31% between Level 1 — the lowest level of security integration within an organization — and Level 5, the highest.

TOOLING 22 percent of firms at the highest level of security integration are also at an advanced stage of DevOps evolution.

CULTURE Even though there is a high correlation between the maturity of security integration and the sense of shared responsibility, 29% of all organizations, positioned at the highest level of security integration, still feel that security teams and delivery teams encounter a lot of friction when collaborating.

TOOLING 65% of respondents confirm that they employ automated security testing tools to audit their code, while a security code review is an activity that 79% of respondents follow.

CULTURE 81% of users feel developers are responsible for open source security and 68% of users feel that developers should own the security responsibility of their container images.

TOOLING 37% of users don't implement any sort of security testing during CI.

TOOLING 57% of respondents test for known security vulnerabilities in their open source dependencies, and 36% of respondents perform static application security testing for their own code.

TOOLING 31% of respondents aren't tracking any application dependencies in use within their organization, and 37% are only tracking direct dependencies.

Continue reading our DevSecOps Insights 2020 study:

DevSecOps Insights 2020

Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo