DevSecOps: Developers Gain Authority as Security Shifts Left
Insight by J. Derrick Wood, Bryan Bergin, Nicholas Altmann, Andrew Sherman, Jared Levine and Zachary Ajzenman
THE COWEN INSIGHT
We follow up on last year’s DevOps report with our next iteration, DevSecOps. DevSecOps serves as the next iteration of DevOps, addressing the last bottleneck by integrating security practices at every phase and embracing “continuous” principles.
COVID-19 has accelerated transformation efforts. Our survey shows healthy spending & more modernization initiatives at hand. We also see a trend of developers gaining greater budget authority, in part driven by new security workflows. Many public & private companies are well positioned to capitalize.
Updates Since our Inaugural DevOps Report
In May 2019, we published our inaugural DevOps report outlining how software development & delivery approaches were radically changing and how new market opportunities were emerging. Since then several companies have gone public, some have substantially shifted their product strategies towards DevOps, and lots of M&A took place. In this next installment of our analysis, we focus on DevSecOps.
The DevSecOps Evolution
Companies have leveraged DevOps methodologies to shorten their software innovation cycles and ship more code to production in order to accelerate digital initiatives. With that, more vulnerabilities have been exposed and security concerns are on the rise.
Historically, even if companies adopted new DevOps practices, security teams often still existed in silos and did not embrace “continuous” methodologies. With security becoming an increasing priority, bringing it into the automation fold is rising. DevSecOps is the natural stepping-stone in the digital transformation journey. In fact, 71% of respondents in our survey indicate they are embracing “shift left” initiatives.
Developers Are Taking On More Security & Budget Authority
Several factors are driving more security responsibility to developers, including
- Developers using more open-source in their software builds, introducing more vulnerabilities during the coding phase.
- ~9x more developers than security pros. If companies want to ensure more protection as they increase the velocity of code releases, developers need to take on more responsibility.
In addition, Kubernetes & containers are easing application configuration requirements and giving developers more innovation power. These trends are driving greater budget authority to developers. In line with this, we are seeing more DevOps vendors add security & other automation capabilities to their portfolios.
Spending Conditions Are Healthy
According to our survey, DevSecOps budgets have held up relatively well this year, up ~8% vs. Gartner’s forecast of -2.5% in total software spend. This implies DevSecOps is a high budget priority, with a ~10%+ market growth outlook in 2021. And based on our findings,we estimate a $14.4B TAM (2021). ITSM, CI/CD & Security are the top 3 areas of priority post COVID-19.