Today’s DevSecOps teams face two major challenges — securing development cycles from the ever-increasing rate and complexity of software supply chain attacks and bridging the internal gaps within their organizations that have traditionally separated security and development efforts.
The Gartner report, Survey Analysis: Enabling Cloud-Native DevSecOps, provides key data insights that reveal the emergence of a common factor amongst these challenges: tools. Having the right tools for the job combined with proper implementation can be a deciding factor in what forms a successful DevSecOps team, but failing to choose the right solutions or adequately integrate has the potential to do more harm than good.
3 Takeaways from the Results
Lack of Automated Security Tools is a Top Challenge
Automated tools streamline security processes by reducing the potential for human error, facilitating quick decision-making, and decreasing complexity. Yet many organizations, particularly those that still rely heavily on legacy solutions, have not implemented automated tools within their cloud-native security processes. 20% of respondents noted a lack of automation in their current security toolset as their number one security challenge, while 35% of respondents said it was in their top three. It’s no surprise that many see this as a top challenge.
Ensuring that security and compliance checks are embedded at every step of the software development lifecycle, and that those checks are executed early and often is at the heart of a successful DevSecOps team.
Tools Must Easily Integrate
A tool is only as good as its ability to fit within a team’s existing framework. Developers in particular have a set of tools already in place that they rely on to drive their daily workflows — solutions for coding, bug and fix tracking, internal communications, and team collaboration to name a few.
While only 11% of respondents said that integrating new processes and security tool sets with existing legacy ones was their number one challenge, 40% named that among their top three. While it may not be at the top of the list for all, the larger percentage of those surveyed placing it in their top three shows that this remains a major headache for DevSecOps teams.
Adding new security solutions to defeat evolving threats is essential for building securely, but those new solutions must integrate with existing tools so developers don’t have to leave the environments they are already working in. Having to do so will slow down the development process and in some cases, may even drive teams to ignore their security tools, allowing threats to enter the build cycle undetected and unremediated.
Cloud-Native Specific Tools Are Essential
Combining the necessities of the previous two takeaways, 10% of respondents to the survey said that the number one most effective change in the DevSecOps pipeline was introducing new cloud-native specific security tools with 20% citing that in their top three. An effective security posture is not “one size fits all” across teams and will not fit every internal security need. Organizations must shift left and begin their security posture at the earliest stages of the development cycle and to do so, they must choose tools that meet the security challenges specific to cloud-native DevSecOps pipelines. These solutions must provide continuous security checks throughout each phase of development, scale without compromising speed or stability, and integrate with existing tools and processes.
No matter what size the organization is, evolving internal processes to adopt a DevSecOps approach is no simple task. Enabling DevSecOps with the right tools is the first step and requires more than simply checking off the security boxes. You must consider the tools that are already in place, how they will integrate and fit best with your organization’s infrastructure, networks, processes, and teams. Choosing the right solutions to secure your product throughout the development cycle allows your organization to build securely and meet release deadlines without compromise.
GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally and is used herein with permission. All rights reserved.