Gartner: Software businesses must adopt DevSecOps before it becomes mainstream

Software developer working on code
(Image credit: Shutterstock)

Software businesses must make DevSecOps and software composition analysis a priority before they become mainstream, research firm Gartner has concluded.

In its Hype Cycle 2022 report, Gartner said DevSecOps and Software Composition Analysis (SCA) will see mainstream adoption in less than two years, listing them as a ‘transformational’ innovations – the highest in its ranking system.

These transformational innovations are described as having a “significant impact on an organization’s business models” and will drive a need for new strategies and tactics.

By integrating security into the development process, businesses can eliminate or reduce friction between security and development and, ultimately, achieve a secure software development lifecycle (SDLC).

The research firm said the drivers include the adoption of DevOps and its need for security and compliance testing that can keep up with the pace of development, as well as its earlier application into the lifecycle compared with traditional application security testing (AST) tools.

Testing results also need to be integrated into the development process in a manner that complements developers’ existing workflows and toolsets, while the use of open source has significantly increased the risk of inadvertent use of vulnerable components and frameworks by developers.

RELATED RESOURCE

Smarter AIOps

AI powered automation helping your business assure app performance

FREE DOWNLOAD

However, Gartner also noted several key obstacles, including developers believing security testing tools are slowing them down, not understanding the vulnerabilities their coding creates, as well as them not wanting to leave their continuous integration/continuous delivery (CI/CD) pipeline to perform tests or view results.

Static application testing (SAST) and dynamic application security testing (DAST)tools have also been hindered by false positives or vague information which frustrates developers, Gartner added. In contrast, diversity of tools used in modern CI/CD pipeline “will complicate the seamless integration of DevSecOps offerings”.

To counter these, Gartner recommends several tactics, including preparing teams for automated integration, “shifting left” to make security testing tools available earlier in development, and favouring offerings that can link scanning in development to correct configuration, visibility and protection runtime.

Similarly, SCA tools will help ensure the software supply chain can be trusted, identify known vulnerabilities, ensure components are properly licensed, while supporting the use of OSS in app development.

According to Gartner, SCA should be considered a “foundational element of application security testing” to identify known vulnerabilities and supply chain risks in open source packages.

Daniel Todd

Dan is a freelance writer and regular contributor to ChannelPro, covering the latest news stories across the IT, technology, and channel landscapes. Topics regularly cover cloud technologies, cyber security, software and operating system guides, and the latest mergers and acquisitions.

A journalism graduate from Leeds Beckett University, he combines a passion for the written word with a keen interest in the latest technology and its influence in an increasingly connected world.

He started writing for ChannelPro back in 2016, focusing on a mixture of news and technology guides, before becoming a regular contributor to ITPro. Elsewhere, he has previously written news and features across a range of other topics, including sport, music, and general news.