ESG, Mezmo Report Identifies DevSecOps Obstacles

DevSecOps is a relatively new discipline that aims to inject security processes and controls earlier into the application development lifecycle.

However, despite the promises of DevSecOps, adoption of a proper DevSecOps strategy is painfully low, according to the "Leveraging Observability Data for DevSecOps" report written by analyst firm ESG Research and sponsored by observability vendor Mezmo (formerly known as LogDNA). Only 22% of the respondents to the survey said their organizations have a formal DevSecOps strategy in place. While many organizations don't have a formal strategy, the report did find that 62% have plans to implement DevSecOps.

Related: DevSecOps Pros and Cons

As to why adoption of formal DevSecOps strategy is so low, Rob Fry, chief technology officer of Mezmo, has a few ideas.

"In the past, security was often seen as a blocker for development teams," Fry told ITPro Today. "The DevSecOps methodology helps security become a business enabler by empowering developers, security engineers, and IT operators with the information they need to identify and resolve issues faster."

Report Identifies Challenges for Implementing DevSecOps

Among the surprises in the report is that challenges with data and tools are hindering DevSecOps success, not necessarily culture, Fry said. Eighty-four percent of organizations say having the right tools and data is necessary for DevSecOps to be successful, the report found.

"DevSecOps can seem like a big, scary word, but even incremental changes like embedding security inside of development squads can help influence positive change," Fry said.

Related: IT Job Salary Survey Yields Surprises and Action Items

Another challenge is the number of tools that organizations are using to extract value from data. According to the report, 91% of respondents are using multiple tools, which causes a variety of issues. Having multiple sources of data makes it difficult to have a master, authoritative source of truth for all the data, according to 55% of respondents.

"Going into the transition to DevSecOps, most people generally expect culture to be the biggest obstacle," Fry said.

A possible reason why culture was not identified as the top obstacle is that the organizations that participated in the survey already had a security-minded, collaborative culture in place and, with this foundation, they were able to focus on other challenges, such as data capture and analysis, Fry said.

Respondents said that the variety (52%) and scale (43%) of data to be captured, analyzed, and taken action on throughout the software development lifecycle hinder security efficiency, he added.

"Nearly all [98%] of respondents said they will likely investigate a managed observability solution over the next 12 months," Fry said. "So I anticipate that we'll see these folks adopt tools like Mezmo that can help them use data as a facilitator of DevSecOps instead of a blocker."

Mezmo is a data observability platform vendor that helps organizations gain visibility into application and developer workloads. The company was known as LogDNA until May 22, when it rebranded.