Variations in DevOps maturity and security integration, says report

Puppet has revealed the findings of its first State of DevOps: Industry Report Card. Among its findings are that the technology industry is the “pack leader” across the board in terms both DevOps maturation and integrating security into the software delivery lifecycle.

Despite the sensitive information the financial services and insurance sectors handle, they scored the lowest on security integration of any industries in the report. This sector is also further behind on evolving their DevOps capabilities. This, says Puppet is perhaps because they are constrained by a higher regulatory burden both in terms of volume and complexity. Meanwhile, the retail industry surpasses all others, even technology firms, when it comes to deploying on-demand.

The 2019 report, based on nearly 3,000 responses collected through Puppet’s eighth annual State of DevOps survey, examines how key industries perform not only in their DevOps success and progression but also in their ability to integrate security into their DevOps practices.

“Integrating security into your DevOps practices can be challenging, but when done correctly is proven to pay off. Security should not be an afterthought; it must be a shared responsibility across teams during every stage of their software delivery lifecycle,” said Alanna Brown, senior director Community and Developer Relations at Puppet.

“In this report, we provide a birds-eye view of how each sector is performing when it comes to security integration, and supply practical advice on how best to drive DevOps initiatives forward based on their unique business characteristics and overall industry trends.”

Industries were measured based on their overall DevOps maturation and current state of security integrations. Here is how each industry faired:

• Technology: The technology industry leads the way for both DevOps maturation and security integration for requirements, design, building and testing. One interesting observation around this industry is that 35% of these companies view security as a shared responsibility by all teams, not just the security team — compared to the industry average of 31%.

It also had the highest degree of leadership support for DevOps initiatives. 28% of technology respondents say that leadership always supports DevOps initiatives.

• Financial Services and Insurance: This sector has the largest number of organisations that are in the group characterised as Medium on the DevOps evolution journey. Conversely, they have the lowest number of organisations that are characterised as High. This shows that the financial services and insurance industry have a solid foundation of DevOps practices to build upon, but advancing beyond the middle is challenging.

Audits also stand out in financial services and insurances and not in a good way. Only 17% of financial services and insurance industry respondents strongly agree with the statement “Our audit process helps minimise risk to the business.” This is the lowest of all the industries — the overall average is 24%.

• Telecom: The telecom industry has made significant progress to evolve its DevOps practices. The number of companies that scored in the High category of the DevOps evolution rose 42% since last year’s survey. One glaring challenge with this industry is it has the highest level of friction between security and delivery teams — 19& of companies reported friction when collaborating together.
• Retail: The retail industry has the highest percentage of firms that can and do deploy on demand — 57% are capable of deploying to production on demand and 28% say that they are actually deploying on demand. This industry also resolves their critical vulnerabilities the fastest with 53% reporting remediation in under one day.
• Government: Conversely to the retail sector, government agencies reported the slowest time to remediate critical vulnerabilities with 3% of respondents being able to remediate in less than one hour and 24% able to remediate in less than one day. In terms of security integration, there’s no real middle ground in the industry, 43% of respondents report either significant integration or full integration while 42% have no or minimal integration.

The full 2019 State of DevOps: Industry Report Card, which includes a deeper look at the data and opportunities for each industry to improve its DevOps practices and security integration, is available for download here.

Report methodology

The survey collected data from technical professionals with a working knowledge of their IT operations and software delivery process. A third-party research firm, OnResearch, hosted the survey and conducted the data analysis. The resulting report was written by Puppet, CircleCI and Splunk. Splunk participation involved providing analysis and commentary to the report findings. All other opinions and writings in the report were completed by Puppet and CircleCI.

Comment on this article below or via Twitter: @VanillaPlus OR @jcvplus