GitLab DevSecOps Survey Highlights Toolchain Sprawl Problem
Too many tools in the DevOps toolchain is a security risk that many now recognize, according to the GitLab 2022 DevSecOps survey.
Development platform services vendor GitLab released its annual global DevSecOps survey on Aug. 23, revealing the continued priority that is placed on security in the software development lifecycle.
Among the key highlights of the report is that security is both a top challenge and top area of investment for DevOps teams. That said, there is still a significant gap in the identification of security issues, with half (50%) of security professionals reporting that developers are missing security issues. The report also identified toolchain sprawl as a major concern, with developers spending increasing amounts of time managing complex toolchains.
Related: What Is DevSecOps?
"While we know maintaining toolchains is time-consuming, it was surprising to find that developers are spending more time than ever maintaining and integrating their toolchains," Johnathan Hunt, vice president of security at GitLab, told ITPro Today. "Nearly 40% said they spend between one-quarter and one-half of their time on these tasks — more than double the 2021 percentage."
GitLab DevSecOps Study Identifies Toolchain Sprawl Challenges
Forty-one percent of DevOps teams reported that they use between six to 10 tools, according to Hunt. While he admitted that toolchain sprawl is ever-prevalent, the significant increase is notable.
"Quite frankly, developers' primary responsibility is to code. Traditionally they are rewarded for how quickly they code and not how secure the code is."
— Johnathan Hunt, vice president of security, GitLab
Organizations are aware of their toolchain sprawl, with 69% of respondents noting that they want to consolidate their toolchains. In Hunt's view, there is a desire to move away from best-in-class tools toward consolidated toolchains because of ongoing supply chain risks. It's a give and take, he said, but a reduction in tools not only reduces risk from the supply chain but also makes organizations more effective. A consolidated toolchain means fewer vendor risk assessments, threat models, potentially vulnerable third-party libraries and components, as well as a reduced landscape of penetration tests and security scans.
"Toolchain consolidation is well within the realm of possibility for organizations, but in order to accomplish it, it's critical to invest in a single platform," Hunt said.
GitLab DevSecOps Study Identifies Security Gaps
The GitLab DevSecOps report found that 50% of security professionals believe developers are not properly identifying security issues.
Related: How to Get Developers to Go All-In on Security
According to Hunt, security professionals report that developers fail to identify security issues largely due to a lack of visibility. A third of security professionals noted that further communication and collaboration would help them with their roles, he said.
"While DevSecOps teams are running more scans, results continue to lag," Hunt said. "To remedy this, teams need to shift left and increase transparency between developers and security professionals."
Additionally, Hunt said there's a lack of secure code training and knowledge or skill in detecting security issues.
"Quite frankly, developers' primary responsibility is to code," Hunt said. "Traditionally they are rewarded for how quickly they code and not how secure the code is."
More Money Is Needed to Improve DevSecOps
In the coming years, Hunt said he'd like to see funding for security increase.
Despite an appetite to shift security left, only 10% of survey respondents report receiving additional budget for security in 2022. According to Hunt, there's a disconnect between what the goals for security are and what the budget is, and he'd like to see security teams get the support they need from leaders in the form of monetary investment.
"Respondents share that security is the No. 1 investment area for 2022, and we hope that the goal to invest in security comes to fruition," he said.
Read more about:
DevSecOpsAbout the Author
You May Also Like