DevSecOps, like its twin DevOps, is a process that has been in place in software shops for several years with the goal of enabling more collaborative and intelligent workflows. Now, AI is poised to add even more power to these efforts, but many remain skeptical about its impact.
Also: AI brings more to your DevOps experience than meets the eye
These are some of the lessons learned from recent achievements investigation An organization from the SANS Institute of 363 IT executives and managers with growing interest in adding AI or machine learning capabilities to their DevSecOps workflows. Over the past year, there has been a significant increase in the use of AI or data science to improve DevSecOps through exploration and experimentation (16%). This increased from 33% in 2022 to 49% in 2023.
While there is growing interest in applying AI to the software development lifecycle, there is also a healthy skepticism about going full-throttle when introducing AI into workflows. “A significant portion of respondents, around 30%, reported that they did not use any AI or data science capabilities,” said SANS authors Ben Allen and Chris Edmundson. I’m pointing it out. “This may reflect issues such as increasing levels of concern around data privacy and intellectual property ownership.”
DevSecOps, as defined in the report, is “a process of software development (Dev), security (Sec), and operations (Ops) that aims to automate, monitor, and integrate security throughout all phases of the software development lifecycle. In other words, establish a process for building in security at the very beginning (design stage) and follow it through to deployment.
Ultimately, a well-functioning DevSecOps initiative “reduces the time it takes to fix security issues, reduces the burden on security processes, and increases ownership of application security,” Allen and Edmundson say. says Mr.
We are seeing an increase in pilot projects integrating security operations into both the categories of “AI and machine learning operations” (19% fully or partially integrated) and “data science operations” (24%). This “may indicate that organizations are performing threat modeling and risk assessment before incorporating AI capabilities into their products,” the authors said.
Also: Generative AI requires developers to stretch cross-functionally.The reason is as follows
Many organizations feel an urgent need for more qualified DevSecOps talent. 38% report a skills gap in this area. “As demand continues to outstrip supply in this field, there is a real need for greater attention to this ever-changing field,” the authors write. “To address talent shortages amid competitive pressures, organizations must further leverage proven DevSecOps practices and explore new technology capabilities.”
Platform engineering, which aims to streamline the flow of software from idea to implementation, is also popular, fully or partially adopted by 27% of respondents. “As the developer self-service capabilities inherent in platform engineering practices mature, we leverage the orchestration used to build, package, test, and deploy applications to move security testing and tools to key points in the process. “It will be essential to incorporate it into the system,” Allen and Edmundson said. “A well-implemented software engineering platform designed in close collaboration with security stakeholders can help organizations achieve their application security orchestration and correlation goals.”