It’s taken quite some time to get here, but enterprise IT execs are finally embracing DevSecOps. The latest indicator that it’s happening is the 2018 Gartner Magic Quadrant for Application Security Testing, which predicted in March that “by 2019, more than 50% of enterprise DevOps initiatives will have incorporated application security testing (AST) for custom code, an increase from fewer than 10% today” (Gartner 2018 Magic Quadrant for Application Security Testing, March 2018.
Why such a jump and why now? Gartner’s analysts have pointed to a slew of bad security headlines that have scared enterprise IT into opting for DevSecOps. But whatever is changing those executives’ thinking, there’s little doubt that it’s happening.
“I think that the Gartner Magic Quadrant is a really good barometer for what customers are asking about today and what they’re looking at in the near future. And so when I read the report, the one thing that struck me was the number of times the analysts mentioned DevOps or DevSecOps. In the report, according to my calculations, it was more than 20 times," said Jessica Lavery, the director of corporate communications for Veracode. “And I think this demonstrates how much Gartner is being asked about DevSecOps."
One key part of this movement has been the growing awareness of problems with reusing open source code, which has become both commonplace and best practice as development speeds have skyrocketed. That awareness has recently changed in two ways. Ongoing news coverage of open source vulnerabilities has made the issue more unavoidable. But it's not solely awareness that has changed. Cyberthieves, as they learn more about open source malware possibilities, are rapidly increasing their malicious use of open source code.
Also, many open source vulnerabilities are not malicious acts done by cyberthieves, but unintentional security holes created by overworked developers. Don't forget that the devastating Heartbleed security problem was the simple result of a German developer who accidentally missed a single validation. And before that, one of the most harmful worms on the Internet—the 1988 Internet worm from Robert Tappen Morris—was the result of Morris making a small math error. Whatever their cause and intent, enterprise IT execs have finally taken notice.
"What I think is happening here is that DevOps was a movement that had quite a bit of traction in terms of theory and people being interested in how it works, and now we’re starting to see that adoption. And, from our standpoint, as companies begin to implement it – DevOps and DevSecOps initiatives – they’re starting to see that it is helping them produce software at a faster rate. And because they’re able to do this at a faster rate, they also need to ensure that it’s secure," Lavery said. "So as companies are getting more used to the DevSecOps process, they need to make sure they are adding security in the process earlier. And I think that’s what’s going to cause the acceleration over the next two years is companies realizing that 'we have the ability now to integrate security earlier.' And that’s going to make application security go from something that was an afterthought to something that is a priority."
Development speed—or, more precisely, the perception of development speed—was a major factor in the delay of DevSecOps for many years. Enterprises have always sought very rapid development, and enterprise IT management often incorrectly saw security testing as slowing operations down. But as IT realized that security could be cleanly integrated into the development process and actually accelerate app deployment, the change in attitude was rapid.
"CISOs realize that breaches are happening and, as a result, they want to make sure that they’re protecting their companies and their customers from that liability, so as they’ve already hardened their networks and they already have the infrastructure in place. This is the next frontier of security for them," Lavery said. "In the past, we would talk about breaches in the context of what was lost. And, of course, we still talk about what was lost in the breach: the data, the information, and how this impacted people. But now these stories tend to talk more about how the breach happened as well. I think as a society we’re becoming more savvy with technology and are able to have a deeper understanding about how breaches happened and, because of that, we are able to push from the consumer side and thus the vendor-side. We can say 'we want more secure applications. It’s not all right that we have applications that we’re using or are interacting with companies through web applications and that cyberthieves can easily get in through these vulnerabilities.' And I think that awareness is helping to drive companies to say, 'I need to prove that I’m secure' and the only way to do that is to have a secure development process.’"
Learn more about DevSecOps.
Magic Quadrant for Application Security Testing, 19 March 2018
Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner's research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.