DevSecOps is not easy but it is moving forward
For the fifth year in a row, GitLab on May 4 2021 releases the DevSecOps report. The report is drawn up by requesting and processing information supplied by nearly 4300 professionals working in a DevSecOps environment. It shows that DevSecOps is not easy but it is moving forward.
The overwhelming tendency of the report is that DevSecOps is finally growing up and transcending the “culture fit” discussion – which, to put it simply, states that DevSecOps can never be successful without a cultural transformation of the underlying organization.
It is quite impossible to do justice to the extensive report by just summarizing its findings. For this reason, I decided to focus on four key findings and delve a bit deeper, to interpret their impact on the IT landscape in your company.
In 2021, 37% of respondents use microservices to some extent (up from 26% in 2020) and 37% do not employ Kubernetes (down from 50% in 2020). This means that Kubernetes is gaining serious traction as the platform of choice underlying the architecture paradigm shift from monolithic applications to microservices and supports the evolution of service-oriented architectures to more fine-grained services. But it also means that the complexity of the container landscape is rapidly increasing, which necessitates orchestration tooling.
In order to make sense of these numbers, two reports are helpful: the CNCF Survey from 2020 and the VMWare State of Kubernetes 2020. The CNCF survey focuses on corporations that are using containers one way or another. Even though it is nearly a year old and the 2021 update is expected in June, the report states that 83% of respondents use Kubernetes in production (up from 78% in 2019). It could be said that the respondents of the CNCF survey are more willing to employ cutting-edge technology.
The VMWare report focuses on more traditional corporations with more than 1,000 employees and takes a specific look at Kubernetes as a cluster orchestration tool. It shows that 60% of corporations are using Kubernetes as their tool of choice, whereas others rely mostly on earlier tooling (or no orchestration at all). Of that 60%, a third are running 26 clusters or more, and a fifth more than 50 clusters, which represents a serious volume of workloads.
Of all respondents, 70% state they use a DevOps platform – even though the report proposes no definition for the term. The type of work done in DevOps is broadening, however: in 2020, the focus was primarily on CI/CD. In 2021, this is shifting to include topics such as GitOps, NetDevOps (network at scale) and putting to use the power and possibilities of site reliability engineering (SRE).
Thanks to these platforms, 60% of developers are releasing code 2x faster than before (up from 25% in 2020). And 56% of Ops team members state they are “fully” or mostly automated (up from 46% from 2020). The reason for this steep increase might have to do with COVID19 – which resulted in a significant increase in working from home, which in turn necessitates automation such as provided by DevOps platforms. The change, however, seems to be permanent. It is highly unlikely that teams will return to an old way of working post-pandemic.
As DevOps platforms mature, it is important for organizations to have a holistic vision of what such a platform entails. DevSecOps should take three factors into account: bringing code to production faster, more accurately and more secure. The speed factor seems to be under control, with a steady toolset available and implemented in a majority of organizations. Accuracy (see also finding three) and security (which warrants an article on its own) should be the focus areas for the next few years. For example, of all respondents that state they release code faster, only 10% have implemented automated testing and an even lower 2.7% employ automated security testing.
AI/ML in DevOps
In 2020, 4% of respondents stated they use AI/ML in DevOps. In 2021, 11.5% do. The field of artificial intelligence and machine learning holds a lot of promise. Developers recognize this (30% think understanding it will be critical to their career), but Ops not so much – even though AI/ML might have a more significant impact on Ops. Maybe this has to do with the fact that even though it holds a lot of promise, both fields have yet to materialize in usable, mainstream Ops products.
The finding that testing causes delays is nothing new, as it featured prominently in the previous two reports as well. The root cause of the delay is a mixed bag of tooling, culture and processes. Some developers appear to be unaware of the necessity of code reviews, or simply do not know how to perform them properly (culture and tooling), whereas running time of code reviews can be lengthy, with little to no feedback from end-users (processes). Test automation still leaves a lot to be desired, which corresponds with the finding that only 25% of the respondents claim to have full test automation in place (even if this is nearly double the amount of last year’s report).
Automation is key to fixing these delays but is apparently still hard to achieve. A lot of testing is still done by hand, by QA teams, which are overwhelmed with the ever-increasing pace of releases. Developments in and progress of test tooling and organization awareness need to go hand in hand here. A promising development is that on the tooling side, 41% of teams are either using AI/ML or bots for test and code reviews or planning to – up 16% from 2020. Another 34% is exploring the possibilities of AI/ML.
In 2021, 72% of respondents state the security efforts in their organizations are strong (32.51%) or good (39.52%), up from 59% in the previous year. The reason is threefold. First of all, security professionals are finally accepted in DevOps teams and not regarded as additional hurdles before production, with only 20% of them stating their role is not changing.
Second, security tooling such as SysDig is rapidly evolving, which enables security professionals to operate and act earlier in the development cycle (shift left). There is, however, still a big hurdle to overcome as far as the presentation and interpretation of the results of the tooling is concerned. Even though over 50% of developers run automated security scans in some form, less than half of the results of the scans are directly available to these developers.
And finally, whereas in 2020 most (93%) security professionals stated that not developers, but they found the majority (75%) of bugs in software code, this went down to 45% in 2021. These significantly lower numbers can only point to a closer collaboration between Ops en Sec, which in the long run will be beneficial to code quality and security.