Recently ESG and Bugcrowd released a report outlining trends in application security according to security leadership. One of the major trends centered on DevSecOps adoption.

According to the report, organizations show strong interest in leveraging DevOps to automate security. Nearly 4 out of 5 organizations in this study have adopted DevOps, and more than 4 out of 5 are planning to integrate cybersecurity processes and controls in the continuous integration and continuous delivery (CI/CD) processes of a DevOps approach (DevSecOps).

Organizations that spend 15% or more of their IT budgets on cybersecurity, along with tech-sector companies, are the most ambitious with their DevSecOps planning. Cybersecurity automation—embedding processes and controls into DevOps, such as automating tickets and presenting bugs to the right people—leads in pre-deployment and runtime use cases.

DevOps and DevSecOps are in the planning stages for a majority of survey respondents for whom automating security and integrating security with the SDLC can provide operating and cost advantages.

While security stakeholders have competing viewpoints about DevOps, executive leaders and security stakeholders both think that DevSecOps is valuable. 93% of respondents strongly agree or agree that executives at their organizations are fully invested in protecting applications, but, at the same time, 92% strongly agree or agree that executives expect AppDev teams to speed up their rate of innovation and deliver value quickly. Enter DevSecOps as a means to achieve these otherwise conflicting objectives. Current and planned DevSecOps implementations are strong use cases for next generation pen test and security automation solutions that help security analysts do their jobs faster and better.

The research data also indicates that large enterprises should look for application security help the most. Their pain (and need) is greater based on the number of applications and operational complexity, and large enterprises are more likely to have formal SDLC programs.

The research reveals that a community-based approach to proactively seeking out previously unknown vulnerabilities is not only of high interest but yields positive results. At the same time, as the cybersecurity industry has experienced in other domains in which next-generation solutions have been introduced, these solutions typically complement existing processes and controls, creating a compelling defense-in-depth strategy. 

For more insights on these trends and security leadership priorities for application security, check out the ESG Research Insights Report, Security Leadership Study – Trends in Application Security.