DevSecOps: Are Teams Really Shifting Left?

July 19, 2023

DevSecOps has been part of the development lexicon for a few years now. 

But for those who love a good recap: DevSecOps is an approach to software development that marries cybersecurity best practices with an agile DevOps (development and operations) workflow. 

The idea is that companies should be “shifting left” by placing the onus of security on developers during development rather than relying entirely on cybersecurity professionals to clean up issues after the fact. 

Sometimes I wonder how that effort has been going. Then I remembered that I could actually start to answer that because I’m an analyst who has access to G2’s boatload of review data.

Successful DevSecOps requires buy in 

There are all sorts of software solutions on the market today that help teams automate development security. From software composition analysis to container security tools, there are more ways than ever for teams to lock down their development process and put security best practices in the hands of their developers.

Ideally, successful implementation of these solutions means less burden on cybersecurity professionals. However, while the software can encourage that scenario by smoothly integrating with developers’ pre-existing pipelines, it’s never a guarantee that the philosophy will catch on. 

In some cases, while the task of securing software may occur earlier in the development process, ownership may still primarily lie with security engineers. In that case, the result is still functionally a baton pass, albeit a much more frequent one. To achieve security by default, DevSecOps software implementation needs to succeed at changing the way developers work. The goal should be fewer security risks in the code from the get-go. 

So who’s using DevSecOps software?

To investigate whether DevSecOps software is having the desired impact (spreading the burden of secure development across teams and deconcentrating that burden from cybersecurity professionals), I looked at G2 review data.

I made two piles of DevSecOps reviews based on the past six months of activity. In one pile, we have reviews whose user job title relates to cybersecurity. In the other pile, we have everyone else! Note that I ignored any reviews which didn’t provide a job title.
A bar graph highlighting the disparity in number of DevSecOps reviews by cybersecurity professionals and others.
The data shows that in the past six months, cybersecurity professionals have been outnumbered by other users engaging with DevSecOps software. That’s great news if you’re wondering whether these solutions will help your team develop better security practices. 

The results indicate that plenty of users without “security” in their job titles engage with tools that help their companies implement more secure software.

There’s one hiccup: the data also shows a consistent decline in reviews from non-cybersecurity personas from month to month. My take on the downward turn? Everybody’s obsessed with AI, which means DevSecOps trends have cooled off a bit recently. 

Reviews from security experts have certainly declined as well when comparing Q1 to Q2, but the data shows a significant disparity between the two groups. 

A bar graph showing the decrease in number of reviews for DevSecOps

While reviews from both groups have declined, non-security personas have shown a much sharper drop-off. It’s almost as though cybersecurity professionals are inherently more likely to keep using and reviewing DevSecOps software regardless of market trends. What a concept! 

Still, it’s troubling to see a signal like this one from buyers who aren’t already security experts. Are companies steadily losing interest in the concept as the hype cycle changes? 

With more and more users relying on AI code generation software to supplement their programming workload, it’s perhaps more important than ever that companies instill a culture of security-first software development. That means continuing to spread the burden of secure software so that cybersecurity professionals aren’t burnt out.

Double down on security

Overall, the data shows that DevSecOps software seems to be serving its purpose by inviting the whole development team to engage with security tools. Doing so prevents cybersecurity professionals from getting overwhelmed and makes security less of a headache by stopping vulnerabilities before they’re coded. 

But when it comes to software markets, it’s only natural for trends to change from month to month or even hour to hour. Security, though, is always of utmost importance when developing software. 

The consistent decline in DevSecOps review traffic from non-security professionals over the past six months, and the sharpness of that decline compared to reviews left by security experts, is alarming. 

Cybersecurity professionals are counting on their teams to step up to the plate so that everybody’s lives are easier. If your company has eased up on the DevSecOps gas pedal, it’s time to consider recommitting.

Learn about automating application security testing and why it's critical for developers. 

Edited by Jigmee Bhutia

DevSecOps Software
Shift security to the left

Automate code security and make your releases secure by default with DevSecOps software.

DevSecOps: Are Teams Really Shifting Left? DevSecOps has been hailed as the new standard approach to software development. But are the tools successfully relieving cybersecurity professionals?
Adam Crivello Adam is a research analyst focused on dev software. He started at G2 in July 2019 and leverages his background in comedy writing and coding to provide engaging, informative research content while building his software expertise. In his free time he enjoys cooking, playing video games, writing and performing comedy, and avoiding sports talk.