Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Key Findings from the 2019 State of DevOps Report

108 views

Published on

Learn how to make security work in your DevOps practice.
We already know that advanced DevOps companies release software faster, with fewer errors. Did you know they also have the best security? (To be fair, we didn’t either until we got the analysis back from our 8th annual State of DevOps survey.)

In this webinar, the authors of the 2019 State of DevOps Report will walk you through the most important things they learned about how organizations are successfully integrating security into their DevOps practices — and the results they’re seeing.

We hope you’ll join us at this APAC timezone webinar on Wednesday, 23 October 2019 at 11 a.m. SGT | 2 p.m. AEST where you can expect to learn:

Which DevOps practices are most important for improving your security posture.
How security integration affects everything from your ability to deploy on demand to the time it takes to remediate vulnerabilities.
What to expect as you integrate security into the software delivery lifecycle. (Hint: It’s not all sunshine and rainbows.)
Webinar presenters and 2019 State of DevOps Report authors: Alanna Brown and Nigel Kersten of Puppet, Andi Mann of Splunk, and Michael Stahnke of CircleCI

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Key Findings from the 2019 State of DevOps Report

  1. 1. 2019 State of DevOps Report Findings
  2. 2. 8 years of DevOps research
  3. 3. Good security doesn’t pay the bills.
  4. 4. 5 Cost of fixing defects by delivery phase Source: IBM System Science Institute
  5. 5. Security is not a priority • 88% growth in application vulnerabilities over two years • 78% of vulnerabilities are found in indirect dependencies • 37% of open source developers don’t implement any sort of security testing during CI and 54% of developers don't do any docker image security testing • Median of 2 years from when a vulnerability was added to an open source package until it was fixed6 https://snyk.io/opensourcesecurity-2019/
  6. 6. Levels of security integration During which of the following phases of your software delivery cycle is security involved? Software delivery phases • Requirements • Design • Building • Testing • Deployment 7 Levels of security integration • Level 1- No integration in any phases • Level 2 - Minimal integration (1 of 5 phases) • Level 3 - Selective integration (2 of 5 phases) • Level 4 - Significant integration (3 or 4 of 5 phases) • Level 5 - Full integration (all phases) % of respondents at each level of security integration
  7. 7. Doing DevOps well enables you to do security well.
  8. 8. Cross-team collaboration builds confidence in security posture.
  9. 9. Security integration and confidence in security posture 10 Respondents feel their organization’s security processes and policies significantly improve their security posture.
  10. 10. Top 5 practices that improve confidence in security posture Practices that span multiple teams and promote collaboration are most impactful • Security and development teams collaborate on threat models. • Security tools are integrated in the development integration pipeline. • Security requirements are prioritized as part of the product backlog. • Infrastructure-related security policies are reviewed before deployment. • Security experts evaluate automated tests. 11
  11. 11. Security practices and their effects on security posture 12 Frequent use / lower importance • Domain specific tests • Penetration testing • Infrastructure provisioned / configured automatically using security-approved procedures • Dependency checkers • Static code analysis • Security requirements tested as design constraint Infrequent use / lower importance • Developers can provision security hardened infrastructure stack on demand • Security review occurs after new application code released to production • Security personnel review / approve minor code changes before deployment Frequent use / higher importance • Infrastructure-related security policies tested/reviewed before deployment • Security requirements prioritized as part of product backlog Infrequent use / higher importance • Security and dev teams collaborate on threat models • Security tools integrated into the dev ecosystem so developers can implement security features during development phase • Security experts evaluate automated tests • Security personnel review/approve major code changes before deployment
  12. 12. Integrating security leads to positive outcomes.
  13. 13. Ability to deploy vs. actually deploying 14
  14. 14. Time to remediate critical vulnerabilities 15
  15. 15. Ability to prioritize feature delivery vs. security improvements 16
  16. 16. Security integration is messy.
  17. 17. Friction between teams 18 Respondents feel security team encounters a lot of friction when collaborating with delivery teams.
  18. 18. Security integration and audit issues 19 Security issues revealed by audits always or often require immediate attention.
  19. 19. Thank you.
  20. 20. Security is a shared responsibility 21 Security is a shared responsibility across delivery and security teams.
  21. 21. 22 Responses by global region
  22. 22. 23 Industries
  23. 23. 24 Role within organization
  24. 24. 25 Department
  25. 25. 26 Teams

×