DevSecOps has been part of the development lexicon for a few years now.
But for those who love a good recap: DevSecOps is an approach to software development that marries cybersecurity best practices with an agile DevOps (development and operations) workflow.
The idea is that companies should be “shifting left” by placing the onus of security on developers during development rather than relying entirely on cybersecurity professionals to clean up issues after the fact.
Sometimes I wonder how that effort has been going. Then I remembered that I could actually start to answer that because I’m an analyst who has access to G2’s boatload of review data.
DevSecOps, which is a mashup of development, security, and operations, is a software development approach based on current industry best practices. Companies seeking to achieve DevSecOps aim for a development workflow that constantly tests, secures, and delivers software. To that end, the goal of DevSecOps is to make software releases functional and secure by default to reduce post-delivery headaches.
There are all sorts of software solutions on the market today that help teams automate development security. From software composition analysis to container security tools, there are more ways than ever for teams to lock down their development process and put security best practices in the hands of their developers.
Ideally, successful implementation of these solutions means less burden on cybersecurity professionals. However, while the software can encourage that scenario by smoothly integrating with developers’ pre-existing pipelines, it’s never a guarantee that the philosophy will catch on.
In some cases, while the task of securing software may occur earlier in the development process, ownership may still primarily lie with security engineers. In that case, the result is still functionally a baton pass, albeit a much more frequent one. To achieve security by default, DevSecOps software implementation needs to succeed at changing the way developers work. The goal should be fewer security risks in the code from the get-go.
To investigate whether DevSecOps software is having the desired impact (spreading the burden of secure development across teams and deconcentrating that burden from cybersecurity professionals), I looked at G2 review data.
I made two piles of DevSecOps reviews based on the past six months of activity. In one pile, we have reviews whose user job title relates to cybersecurity. In the other pile, we have everyone else! Note that I ignored any reviews which didn’t provide a job title.
The data shows that in the past six months, cybersecurity professionals have been outnumbered by other users engaging with DevSecOps software. That’s great news if you’re wondering whether these solutions will help your team develop better security practices.
The results indicate that plenty of users without “security” in their job titles engage with tools that help their companies implement more secure software.
There’s one hiccup: the data also shows a consistent decline in reviews from non-cybersecurity personas from month to month. My take on the downward turn? Everybody’s obsessed with AI, which means DevSecOps trends have cooled off a bit recently.
Reviews from security experts have certainly declined as well when comparing Q1 to Q2, but the data shows a significant disparity between the two groups.
While reviews from both groups have declined, non-security personas have shown a much sharper drop-off. It’s almost as though cybersecurity professionals are inherently more likely to keep using and reviewing DevSecOps software regardless of market trends. What a concept!
Still, it’s troubling to see a signal like this one from buyers who aren’t already security experts. Are companies steadily losing interest in the concept as the hype cycle changes?
With more and more users relying on AI code generation software to supplement their programming workload, it’s perhaps more important than ever that companies instill a culture of security-first software development. That means continuing to spread the burden of secure software so that cybersecurity professionals aren’t burnt out.
Overall, the data shows that DevSecOps software seems to be serving its purpose by inviting the whole development team to engage with security tools. Doing so prevents cybersecurity professionals from getting overwhelmed and makes security less of a headache by stopping vulnerabilities before they’re coded.
But when it comes to software markets, it’s only natural for trends to change from month to month or even hour to hour. Security, though, is always of utmost importance when developing software.
The consistent decline in DevSecOps review traffic from non-security professionals over the past six months, and the sharpness of that decline compared to reviews left by security experts, is alarming.
Cybersecurity professionals are counting on their teams to step up to the plate so that everybody’s lives are easier. If your company has eased up on the DevSecOps gas pedal, it’s time to consider recommitting.
Learn about automating application security testing and why it's critical for developers.
Edited by Jigmee Bhutia
Automate code security and make your releases secure by default with DevSecOps software.
The golden age of DevOps software best practices has settled upon us like a cozy blanket of...
by Adam Crivello
Software development, especially for mobile applications, can be a long and complicated...
by Michael Pigott
2023 will forever be remembered for the rise of generative AI, and software development is no...
by Michael Pigott
