The journey to DevSecOps maturity does not neatly shift left along a software development lifecycle (SLDC). Companies start adding security into the testing phase and then usually integrate security as they deploy applications into production. The nearly 3,000 technical professionals and executives surveyed for the “2019 State of DevOps Report” believe these steps positively impact a company’s security posture. Yet, adding “security” to testing and deployment also increases friction between security and developer teams.
Unsurprisingly, only 38% of respondents that do not integrate security at all say security policies or processes improve their company’s security posture. The report, from Puppet, CircleCI and Splunk, uses the number of SDLC phases involved with security to gauge the level of integration. The testing and deployment are the two phases that are most likely to be integrated with security. Just doing this has a positive impact. Build is usually the next phase to be integrated. Overall, 74% of those reporting integration of at least three phases noted a positive impact on their company’s security posture. The requirements and design phase are most likely to deal with security at companies that integrate all five of the stages of software development.
The complete article can be found here.