The State of DevSecOps 2020

The first Capgemini Global DevSecOps Report attempts to understand the challenges leading organisations face when attempting to build digital products quickly and securely. We surveyed and benchmarked 100 organisations from 16 counties, across 14 industries. We found that:

• Despite having access to state-of-the-art technologies, organisations found it difficult to embed security into the Software Development Lifecycle (SDLC) because traditional and deep-rooted mindsets served as the biggest blocker.
• Whilst performing security activities earlier in the SDLC will cost organisations less than retrofitting security, it can be difficult for organisations to know how to implement reproducible and standardised security frameworks.
• The overwhelming scale for certain organisations resulted in confusion and paralysis over which parts of IT, DevOps, or Security to transform first, and how the wider business fits into this.
• Spending more money on advanced security tooling in the SDLC does not correlate with an improvement in overall security. Rather, organisations need to consider security as a capability involving people, culture, processes and then tools.

From insights to the framework: our report shares two tried and tested frameworks to accelerate ‘DevSecOps’ transformation

From our global experience, we have built two frameworks to empower organisations to accelerate the build of their DevSecOps capability:

• A strategic framework pitched at leadership through the Educate, Automate, Monitor principles
• An operational framework pitched at security practitioners through the Seven Security Touchpoint Model within the SDLC.

We also propose to use the Design Thinking Methodology when kickstarting the DevSecOps transformation journey. Humans are rarely considered when it comes to matters of security, and we believe this causes frictions between security practitioners and developers. Design Thinking is handy for co-designing security systems into the product build.