Application security

Introduction to DevSecOps and its evolution and statistics

Nitesh Malviya
January 9, 2023 by
Nitesh Malviya

Note: we also provide an introductory article for those who need context for the evolution from DevOps to DevSecOps

Software development quality — and application security — have taken center stage as companies try to innovate more quickly. The development, security and operations teams (or DevSecOps teams) must ensure that their procedures are compatible with contemporary cloud environments for software development teams to strike a balance between speed and quality during the software development cycle (SDLC).

In 2022, DevSecOps approaches will likely gain more traction because of several concurrent technological advances. These DevSecOps trends will also support teams as they incorporate security and compliance into workflows without hindering creativity or adding extra workload for time-pressed teams.

11 courses, 8+ hours of training

11 courses, 8+ hours of training

Learn cybersecurity from Ted Harrington, the #1 best-selling author of "Hackable: How to Do Application Security Right."

DevSecOps technological trends

Widespread use of infrastructure as code (IaC)

Instead of using hardware, IaC codifies and administers IT infrastructure. Developers and operations teams can use software code to automatically manage, monitor and deploy IT resources rather than manually configure one device after another. By 2023, 60% of businesses will be utilizing infrastructure automation technologies as a component of their DevOps toolchains, increasing the effectiveness of application deployment by 25%.

Attacks via vulnerable third-party code

Organizations may become exposed by integrating external code or code libraries into their software as cyberattacks become more frequent. Thus, from a security perspective, they must carefully evaluate third-party code for errors, including vulnerabilities and bugs.

GitOps Adoption

Using Git, an open-source version control system, GitOps provides a framework of procedures for managing infrastructure and application configurations. Git is the only reliable source of information and the primary control mechanism for dynamically adding, modifying and deleting system design. GitOps advances ensure Infrastructure as Code since it makes automation possible.

Kubernetes infrastructure

Kubernetes manages the deployment, scalability, and administration of containers. Adopting Kubernetes can significantly increase efficiency and make DevSecOps pipelines easier to create, test and deploy.

Serverless architecture

Serverless computing enables businesses to use resources as needed. Businesses may scale up and down on demand by giving a cloud provider control over their infrastructure. Only the resources that an organization uses are charged for. Serverless computing enhances disaster recovery and the resilience of IT systems because cloud providers host the infrastructure.

Microservice application development

Organizations can gain from more flexible, incremental development to meet the needs of business units by breaking services down into modular components. Microservices also make it possible for developers to address issues when they arise without affecting the entire application. DevSecOps teams can maintain their flexibility and agility while simultaneously focusing on the security and quality of their code thanks to this type of modular application development.

Market data for DevSecOps

  • Between 2017 and 2023, the global DevSecOps market is anticipated to expand at CAGR of 33.7%.
  • In 2021, the DevSecOps market was estimated to be worth $3.73 billion.
  • According to projections, the DevSecOps market would increase at a CAGR of 30.76% from 2022 to 2030, reaching $41.66 billion.
  • It was predicted that the surge in cybercrime from various sources would cost the globe more than $6 trillion in 2021.

DevSecOps and cloud security statistics

As cloud computing and storage become, many enterprises need more widespread, stringent security precautions. Even if your development pipeline does not include cloud technologies, Kubernetes, microservices and containers all present numerous ports of entry for an incursion.

  1. Even though some of these facts don't directly relate to DevSecOps, they'll probably help the technology catch on.
  2. Security experts gave their organizations' security efforts a "good" or "strong" rating in 72% of cases.
  3. DevOps teams are performing more security scans than ever: more than half perform SAST scans, 44% perform DAST scans and almost 50% examine containers and dependencies.
  4. According to 70% of security personnel, security has swung to the left.
  5. Seven hundred and seventy vulnerabilities were found in the first six months of 2021, more than in any other historical year, setting a record for zero-day attacks.
  6. According to Gartner, global spending on cloud services will surpass $482 billion by the end of 2022, a 54% rise from 2020.

DevSecOps user statistics

  1. DevSecOps ensures that security controls are in place throughout the development process by integrating security where it is required into the CI/CD pipeline. This avoids the hazards that you will notice in the numbers that follow.
  2. DevSecOps is now used by 36% of respondents when developing software, compared to 27% in 2020.
  3. According to 96% of respondents, automating security and compliance operations, a core DevSecOps principle, would be advantageous for their firm.
  4. 60% of engineers release code twice as quickly, thanks to DevOps principles. However, improved speed comes with a cost: due to time constraints, almost half of enterprises knowingly release insecure code.
  5. Up 13% from 2021, about 25% of respondents said they have complete test automation.

Implementation statistics

  1. DevSecOps best practices were adopted for security, quality or resilience, according to 54% of respondents.
  2. A faster time to market for apps is, according to 30% of respondents, the main justification for using DevSecOps.
  3. According to 73% of respondents, manual security and compliance procedures tend to delay code releases.
  4. 96% of respondents claimed that automating security and compliance procedures would benefit their firm.

Jobs statistics

  1. DevSecOps engineers in the U.S. make an average of $140,000 per year.
  2. The starting salary for engineers is about $119,629. This entry-level wage is incredibly generous. 

Team statistics

  1. In 2021, 60% of rapid development teams had adopted DevSecOps procedures, up from 20% in 2019.
  2. Up 10% from 2021, 56% of the operations team personnel reported being "completely" or "largely" automated.
  3. In comparison to 41% in 2021, 75% of teams are either now employing AI/ML or bots for test/code review or plan to do so.

Making sense of DevSecOps statistics 

Based on the statistics above, it is clear that DevSecOps is here to stay because it offers organizations and businesses faster and more secure software development processes, greater pay and a clear career path for engineers.

Also, organizations must seriously consider having a strong DevSecOps team since it is a win-win situation for all the involved parties and stakeholders.

If you enjoyed this article, consider continuing to the next chapter, Understanding the DevSecOps Pipeline.

 

Sources:

Nitesh Malviya
Nitesh Malviya

Nitesh Malviya is a Security Consultant. He has prior experience in Web Appsec, Mobile Appsec and VAPT. At present he works on IoT, Radio and Cloud Security and open to explore various domains of CyberSecurity. He can be reached on his personal blog - https://nitmalviya03.wordpress.com/ and Linkedin - https://www.linkedin.com/in/nitmalviya03/.