Gartner: Software businesses must adopt DevSecOps before it becomes mainstream
Daniel Todd
Software developer working on code Shutterstock
Integration will ultimately help organisations reduce friction between security and development, research firm says
Software businesses must make DevSecOps and software composition analysis a priority before they become mainstream, research firm Gartner has concluded.
In its Hype Cycle 2022 report, Gartner said DevSecOps and Software Composition Analysis (SCA) will see mainstream adoption in less than two years, listing them as a ‘transformational’ innovations – the highest in its ranking system.
These transformational innovations are described as having a “significant impact on an organization’s business models” and will drive a need for new strategies and tactics.
By integrating security into the development process, businesses can eliminate or reduce friction between security and development and, ultimately, achieve a secure software development lifecycle (SDLC).
The research firm said the drivers include the adoption of DevOps and its need for security and compliance testing that can keep up with the pace of development, as well as its earlier application into the lifecycle compared with traditional application security testing (AST) tools.
Testing results also need to be integrated into the development process in a manner that complements developers’ existing workflows and toolsets, while the use of open source has significantly increased the risk of inadvertent use of vulnerable components and frameworks by developers.
However, Gartner also noted several key obstacles, including developers believing security testing tools are slowing them down, not understanding the vulnerabilities their coding creates, as well as them not wanting to leave their continuous integration/continuous delivery (CI/CD) pipeline to perform tests or view results.
Static application testing (SAST) and dynamic application security testing (DAST)tools have also been hindered by false positives or vague information which frustrates developers, Gartner added. In contrast, diversity of tools used in modern CI/CD pipeline “will complicate the seamless integration of DevSecOps offerings”.
To counter these, Gartner recommends several tactics, including preparing teams for automated integration, “shifting left” to make security testing tools available earlier in development, and favouring offerings that can link scanning in development to correct configuration, visibility and protection runtime.
Similarly, SCA tools will help ensure the software supply chain can be trusted, identify known vulnerabilities, ensure components are properly licensed, while supporting the use of OSS in app development.
According to Gartner, SCA should be considered a “foundational element of application security testing” to identify known vulnerabilities and supply chain risks in open source packages.
Daniel Todd
Software developer working on code Shutterstock
Integration will ultimately help organisations reduce friction between security and development, research firm says
Software businesses must make DevSecOps and software composition analysis a priority before they become mainstream, research firm Gartner has concluded.
In its Hype Cycle 2022 report, Gartner said DevSecOps and Software Composition Analysis (SCA) will see mainstream adoption in less than two years, listing them as a ‘transformational’ innovations – the highest in its ranking system.
These transformational innovations are described as having a “significant impact on an organization’s business models” and will drive a need for new strategies and tactics.
By integrating security into the development process, businesses can eliminate or reduce friction between security and development and, ultimately, achieve a secure software development lifecycle (SDLC).
The research firm said the drivers include the adoption of DevOps and its need for security and compliance testing that can keep up with the pace of development, as well as its earlier application into the lifecycle compared with traditional application security testing (AST) tools.
Testing results also need to be integrated into the development process in a manner that complements developers’ existing workflows and toolsets, while the use of open source has significantly increased the risk of inadvertent use of vulnerable components and frameworks by developers.
However, Gartner also noted several key obstacles, including developers believing security testing tools are slowing them down, not understanding the vulnerabilities their coding creates, as well as them not wanting to leave their continuous integration/continuous delivery (CI/CD) pipeline to perform tests or view results.
Static application testing (SAST) and dynamic application security testing (DAST)tools have also been hindered by false positives or vague information which frustrates developers, Gartner added. In contrast, diversity of tools used in modern CI/CD pipeline “will complicate the seamless integration of DevSecOps offerings”.
To counter these, Gartner recommends several tactics, including preparing teams for automated integration, “shifting left” to make security testing tools available earlier in development, and favouring offerings that can link scanning in development to correct configuration, visibility and protection runtime.
Similarly, SCA tools will help ensure the software supply chain can be trusted, identify known vulnerabilities, ensure components are properly licensed, while supporting the use of OSS in app development.
According to Gartner, SCA should be considered a “foundational element of application security testing” to identify known vulnerabilities and supply chain risks in open source packages.
Similar Readings (5 items)
Most software engineers must upskill by 2027 to keep jobs
Want to be a DevOps engineer? Here's the good, the bad, and the ugly
How Will AI Agents Affect IT Service Delivery?
How is Regression testing different from Retesting? - ACCELQ
Machine Learning with Django
Summary
Gartner predicts mainstream adoption of DevSecOps and Software Composition Analysis within two years, labeling them as 'transformational' innovations. These technologies are expected to impact business models significantly and necessitate new strategies. To achieve a secure software development