Europe ‘pulling ahead’ of US and APAC in DevSecOps

Puppet’s latest State of DevOps Report has evaluated the success of DevOps security integrations

European firms are outperforming other regions when it comes to integrating security into DevOps practices.

That’s according to automation software provider Puppet’s latest State of DevOps Report, which this year canvassed 3,000 organisations to determine how far they have integrated security into their software development lifecycles.

The report reveals that Europe is pulling ahead of the US and Asia Pacific regions in terms of the number of firms reporting ‘significant to full’ security integration, with 43 percent meeting that criteria as opposed to 38 percent or less in US and APAC.

A company has fully integrated security when it has embedded it into all five phases of the software delivery lifecycle: requirements, designing, building, testing and deployment. Significant integration is achieved when security has been integrated into the testing, deployment and building phases.

DevOps is a popular development philosophy that aims to expedite software delivery and deployment through improved automation, measurement and cross-team sharing. Until recently, organisations have been primarily adopting DevOps to get new features out faster but embedding security into the development lifecycle as an afterthought. This has prompted calls for security experts to be included throughout the lifecycle – hence DevSecOps.

In the report Puppet identified the top five practices that improve security posture. Among them were collaboration between security and development teams on threat models, integration of security tools into the development phase, reviewing security policies before deployment, and having automated tests evaluated by security experts.

While respondents report a slowing down of delivery when these practices are first introduced, the friction eventually subsides and teams become more productive than ever. 61 percent of firms at the highest level of integration are able to deploy on demand, while just 49 percent of organisations with no security integration are able to do so.

The report suggests firms who have a strong DevOps culture based on collaboration and sharing across teams have improved their organisation’s overall security posture.

82 percent of survey respondents at firms with the highest level of security integration said their security policies and practices had significantly improved their firm’s security posture, compared to 38 percent of firms with no security integration.

“The DevOps principles that drive positive outcomes for software development — culture, automation, measurement and sharing — are the same principles that drive positive security outcomes. Organisations that are serious about improving their security practices and posture should start by adopting DevOps practices,” said Alanna Brown, senior director of Community and Developer Relations at Puppet and author of the State of DevOps report.

“This year’s report affirms our belief that organisations who ignore or deprioritise DevOps, are the same companies who have the lowest level of security integration and who will be hit the hardest in the case of a breach.”