The SANS 2023 DevSecOps Survey has provided a wealth of data on the current state of DevSecOps across organizations. It is essential to delve into these findings to understand the trajectory of DevSecOps maturity and assess how organizations are adapting. Let’s examine some of the most impactful takeaways from the 2023 Report.

Multi-Cloud Adoption Soars


The survey underscores the dramatic shift towards multi-cloud strategies. While giants like Amazon Web Services (AWS), Microsoft Azure, and Google Cloud Platform (GCP) continue to host over 75% of application workloads, 47% of the respondents reported using other cloud providers like Alibaba Cloud, IBM Cloud, and Oracle Cloud. This is a considerable jump from 25% last year. The rise in multicloud adoption adds an exponential layer of complexity in managing security protocols across various platforms.

Funding Constraints for Security Tools


One of the most cited challenges remains the difficulty in securing the necessary funding for new security and testing tools. It’s a bottleneck for organizations aiming to bolster their security infrastructure. This financial aspect is not just a technical issue but a business-critical one, and it requires strategic planning and stakeholder alignment.



The Imperative of Communication and Professional Development


According to the survey, successful DevSecOps initiatives rely heavily on internal communications and the cultivation of “security champions” through professional development activities. Breaking down silos between departments and fostering a culture of open dialogue are crucial in implementing a successful DevSecOps strategy.

The Continued Reliance on VMs


While containers and serverless functions offer potential advantages, 69% of respondents reported that at least a quarter of their applications still run on Virtual Machines (VMs). This preference for VMs may be an indicator of the broader comfort level with established technologies but may also hint at missed opportunities in terms of security and performance.


DevSecOps as a Business and Risk Management Concern


DevSecOps has transitioned from a primarily technical focus to a business-critical function. Notably, 40% of the survey respondents were aligned with the business side of their organization, and 13% identified themselves as business managers. This is a telling indicator of how DevSecOps has become integrated into business strategy and risk management conversations.


Industry Representation and the Missing Sectors


Though the technology, cybersecurity, and application development sectors were prominently represented, there was a noticeable decline in the banking and finance industry from 17% in 2022 to just 7% in 2023. Government and healthcare sectors remained underrepresented in terms of DevSecops Maturity, which is a point of concern given the sensitive data these sectors often handle.


The AI and Data Science Horizon

The survey showed a notable increase from 33% in 2022 to 49% in 2023 in organizations looking to leverage AI and data science to improve DevSecOps. This trend indicates a collective interest in the capabilities of emerging technologies to enhance security postures.


Tools and Techniques for a Multicloud Strategy


Securing multicloud environments requires specialized tools. Software Composition Analysis (SCA), Static Application Security Testing (SAST), and Dynamic Application Security Testing (DAST) are instrumental for both long-lived VMs and ephemeral containers. The report recommends Cloud Security Posture Management (CSPM) and Cloud Workload Protection Platforms (CWPP) for organizations navigating multicloud complexities.


The Importance of Automation in Security Testing


Automating security testing processes allows for frequent, broad, and cost-effective evaluations. Organizations must consider this as they expand or build their DevSecOps strategies.


Lift-and-Shift Versus Deep Integration


Organizations moving containerized workloads to the cloud face a decision: adopt a lift-and-shift approach or aim for deeper integration with their cloud providers’ security tools. Each comes with its set of challenges and benefits, and organizations must consider their multicloud strategies when making this decision.


Culture, Communication, and KPIs


A successful DevSecOps program is not just about the tools or the cloud providers; it’s about the people. Cultivating a culture of continuous communication and shared responsibility is imperative. Leveraging Key Performance Indicators (KPIs) can help identify areas for improvement and facilitate alignment across the organization.


Final Thoughts on DevSecops Maturity

The SANS 2023 DevSecOps Survey has presented an insightful snapshot of the current landscape and the current state of DevSecops Maturity. From the surging trend in multicloud adoption to the crucial importance of internal communication, it is clear that DevSecOps is evolving in complexity and scope. Organizations must adapt to these shifts through thoughtful investment in tools, professional development, and strategic planning to successfully navigate the ever-changing DevSecOps environment.


The advancement in DevSecOps Maturity is particularly evident in the way organizations have integrated security into their DevOps processes. This maturity isn’t merely a reflection of sophisticated tool adoption but is deeply rooted in the organizational mindset. What stands out in this evolution is the growing emphasis on creating ‘security champions’ within DevOps teams, as underscored by the SANS 2023 survey. Another hallmark of DevSecOps Maturity is the widespread utilization of metrics and Key Performance Indicators (KPIs) to quantify security efforts. Perhaps the most compelling sign of this maturity is the increased involvement of business leaders in DevSecOps activities, illustrating that security has transitioned from being merely a technical consideration to a business imperative.