Security a Top Priority in the Software Development Process, Report Finds

Security remains a priority for DevSecOps, which is increasingly turning to developers and technology as part of the process, according to a GitLab DevSecOps report released Thursday. 

For example, there was an increase in developer led-security. According to the report, 71% of respondents said that their vulnerabilities are being caught by developers.

“That’s a sort of a signal to me that the security organizations I think are getting more comfortable with developers finding and correcting vulnerabilities during the development process, rather than waiting until the end, and then doing what folks traditionally do: running it through a bunch of tools, generating a report and then spending months fixing everything that’s in that report,” Bob Stevens, GitLab’s vice president of public sector, told Nextgov. “So, to me, the security groups [are] embracing the tools that exist and starting to rely more and more on them to be able to ensure that code is being developed securely.”

Despite the need for better digital experiences and improved security, the report found that 75% of public sector respondents reported deploying software at the same rate or slower than last year. In the 2022 report, this was 59% of respondents. 

“I’m surprised that number is so high, especially with the tools that exist out there today, but maybe I shouldn't be surprised,” Stevens said. “But I can tell you that there’s a lot of agencies that are still stuck in waterfall and haven’t moved to agile development and they’re still very stove-piped and they’re struggling to figure out how to get out of that scenario. It’s a cultural change is really what it comes down to.”

However, Stevens noted for the commercial sector this is only 40%, which he stated “would indicate that the government is falling behind in regards to their transition to newer development tools and building software factories and the deployment of a platform.”

Meanwhile more than 50% of government respondents reported evaluating or buying a DevSecOps platform in the next one to three years. 

However, the report found that 44% of public sector respondents were using more than six tools and some were using more than 15 tools. 

“The more tools you use, the more opportunity you create for vulnerabilities or poorly written code,” he added. “You also slow things down because things can be written in a stove pipe and then you try and merge all those pipes together in the end and, oh, by the way, they normally don’t work well when you do that. So you slow things down when there’s that many tools. Cost is another thing.”

Moreover, 59% of government and defense or aerospace respondents are looking to consolidate the number of tools they use.  

According to Stevens, this can help “reduce complexity, increase speed to mission, reduce cost,” which includes the cost of the tool and training. He added it also makes remote work more feasible.

Meanwhile, artificial intelligence and machine learning were also important for DevSecOps, the report noted. Specifically, developers that used a DevSecOps platform were more likely to utilize automation and AI or ML for testing purposes than those who do not use a platform. In particular, 65% of developers said they are using AI or ML to test or would be in the next three years. Additionally, 62% of developers using AI or ML use it to check code, an increase from the 2022 report which only had 51% of developers using it for this purpose. Furthermore, 53% of developers using AI or ML use bots for testing, in 2022 this was 39%. 

“I think that this is to help with speed to mission,” Stevens said. “If you don’t have to reinvent the wheel and you can rely on AI or machine learning to do something or aid in something that's kind of common in development, then you can help save time and ensure that it's secure. Both right, you're gonna accomplish efficiency and security. So, I think we're going to see more and more use of AI, in particular, in software development because there’s just aspects of it where it just makes sense. It just makes everybody's life a lot easier to be able to write the code.”

GitLab surveyed more than 5,000 IT and software professionals, including public sector professionals, in March 2023 for this report.