Here are some key takeaways gained about security professionals. Through this survey we take a deeper dive into each of these findings in the body of this report.Download Now
61% delay critical security projects due to rapid deployments
59% spend days, weeks or more per year investigating false positives
85% believe manual security work hurts the rate of deployment
92% Want control through configurable policy
DevOps has proven pivotal to the growth and sustainability of many companies worldwide. However as with any form of progress, it's also introduced new obstacles. This is most evident amongst security professionals. These critical practitioners are responsible for evaluating and elevating the security posture of their organizations in effort to stop data breaches and bad actors.
As software grows in complexity and release cycles continue to accelerate to every other week, it becomes increasingly difficult to even just maintain your existing security posture. New CVEs pop up at an alarming rate and manual processes are slowing security teams down. If these critical employees can't find a solution to maintain pace with the rapid rate of deployment, their work is going to get away from them and we're going to see exponential increase in data breaches worldwide. Some companies will be able to sustain this, but most won't.
With this survey, we look at how security professionals have integrated with DevOps processes, what challenges they face with that integration, and what they believe is the path forward to not only secure companies, but happy & empowered security teams. Our goal is to share what challenges are fueling DevSecOps, projected to be a $23.42 billion market by 2028, in order to help us understand what we can do to fix that and help security teams perform the best work of their lives.
Because the purpose of this survey was to learn more about security professionals specifically, we limited our query to only those individuals actively working in that role. By far the largest group, 64%, work for companies described as being in the technology industry, and 50% of the respondents work for large-to-enterprise businesses (1.000 - 10,000+ employees).
If we were to build a baseline profile of the typical respondent for this survey, it would be a security leader who works at a large-sized, cloud-native technology company.
|Utilities / Energy||0.7%|
|Director of Security||26.7%|
|CSO / CISO||14%|
|VP of Security||9.3%|
|Large (1,000 - 10,000)||43.3%|
|Medium (100 - 999)||37.3%|
|Small (1 - 100)||6.7%|
|Enterprise (10,000 +)||6.7%|
If our survey represents the industry at large, it suggests that most security professionals work inside an agile process, specifically DevOps. According to Gartner in 2021, 83% of IT decision makers reported implementing DevOps. Compared to the 47% in 2016, it's clear that this trend is not going away any time soon, and our response of 92% in 2022 suggests just that.
We created this portion of the survey to illuminate the challenges and dynamics of security professionals working in an agile process. We look at the impact on workload and prioritization, and how that crosses over into satisfaction.
We'll provide insights into what security leaders should know about the experience of security professionals in DevOps.
The growing adoption of DevOps lines up nearly perfect with the growing rate of CVEs year-over-year. As a result of shipping software faster, we're reintroducing previously fixed vulnerabilities at an alarming rate. This never-ending treadmill has security teams moving fast, but going nowhere. As organizations aim to deploy even faster, the difficulty to maintain a strong security posture and keep up with deployments is bound to grow.
In order to keep up with the growing rate of deployments, the majority of security teams are forced to delay critical security work such as securing a remote workforce, or simplifying cloud access controls. While securing every deployment is important, these critical security projects drive busines value and reduce risk in a constantly shifting security landscape.
It's also interesting to note that a sizable percentage of respondents indicated that they believe removing manual security activities from the DevOps process would have a positive impact on the process as a whole. As organizations deploy faster, automating security is the only path forward if security is to scale with modern software development.
Our picture has become more clear as we have looked deeper at what security professionals' experience is with the DevOps process. We know from their answers that the increase rate of deployments have introduced a serious and concerning challenge. They want a different way to work, but aren’t sure what that looks like.
Let's now pivot to look at the tools they use, how they add to the existing workload.
Tooling is designed to save us time, yet almost a third of security professionals spending nearly a third of their week investigating scanner results. Not only is this a manual process that doesn't scale with the modern software development process, but it's economically impossible to dedicate resources to cover every application in the enterprise.
|20 - 29%||27.3%|
|30 - 39%||24%|
|40 - 49%||16%|
|10 - 19%||11.3%|
|Less than 10%||4%|
|10 - 19%||28.7%|
|Less than 10%||26%|
|20 - 29%||17.3%|
|40 - 49%||14%|
|30 - 39%||7.3%|
When your tooling focuses on a symptom, like network data, rather than the cause, like your applications' code, the best you can do is make an educated guess.
Security teams have too little time and too much to do to base their workload on assumptions. As the rate of deployments increase the number of false positives and negatives that security teams have to investigate will also increase.
There's hope though. Next let’s turn our focus to a path forward.
The notion of shifting security earlier in the process is only a part of the equation. If you merely shift the same activites earlier in the process, you still have to do those same activities. Most security professionals don't want to just shorten the feedback loop with engineering, but automate it with control through policy, where security happens as the application executes.
Security-as-Code enables security to scale with modern software development for the first time. By providing security teams the template to immutably tell their applications what behavior they want to secure and what they expect, both security and development teams can focus on just doing their jobs without the back-and-forth.
Next let's dive into an introduction on Security-as-Code.
Security-as-Code is the practice of leveraging machine-readable definition files that use high-level descriptive coding language to automate security behavior in the runtime. This approach drastically reduces reliance on human intervention and grants security teams autonomy while allowing engineers to focus on development rather than vulnerability remediation.
When an action is performed on your applications for the first time and an attempt is made to execute vulnerable code & a checksum check tells your application to ignore the code. A healthy version of the code is returned instead in real-time as defined in your Policy Config file. On any additional call to that same function, the healthy version will be made available, resulting in even faster execution.
Solve Security at Scale
Don't Fret Code Changes
To learn how Security-as-Code can help your security team get in front of the growing rate of deployments, never experience another security regression and wave goodbye to false positives & negatives, watch the Waratek Demo.Start Demo
Utilizing security as code enables organizations to scale with modern software development by codifying security and policy into development processes and workflows.