New DevSecOps research by GitLab suggests that 65% of developers are using artificial intelligence and machine learning in their code testing efforts or plan to do so within the next three years, signaling a potentially significant shift towards the automation of software development processes.
GitLab’s seventh annual Global DevSecOps Report surveyed more than 5,000 IT leaders, CISOs and developers across the financial services, automotive, healthcare, telecommunications and tech industries. The goal of the survey, which was conducted by market research agency Savanta in March 2023, was to understand the successes, challenges and priorities for DevSecOps implementation.
A growing reliance on AI and ML
Among the key findings in GitLab’s report was the fact that AI/ML adoption in software development and security workflows continues to accelerate, with 62% of software developers using AI/ML to check code — up from 51% in 2022 — while 53% are using bots in the testing process, compared to 39% last year.
GitLab’s report found that organizations were beginning to incorporate security into the software development life cycle earlier, with AI/ML playing a critical role in identifying vulnerabilities in code. Developers who used a DevSecOps platform were more likely to have implemented automation and AI/ML for testing than those who had not, the research found.
Challenges for developers and security professionals
Developers and security professionals continue to face challenges juggling the various tools and applications they are expected to use as part of their role. Toolchain management is an issue for security professionals in particular.
GitLab found that 57% of security respondents reported using six or more tools, compared to 48% of developers and 50% of operations professionals.
Not only that, but security professionals’ toolchains appear to be expanding. In GitLab’s 2022 Global DevSecOps Report, 54% of security respondents said they used two to five tools in their workflow, while 35% reported using six to 10; in 2023, these figures were 42% and 43%, respectively.
Consistent security monitoring
Predictably, the plethora of tools security professionals are expected to use makes maintaining consistent monitoring more challenging, with 26% of security professionals identifying this as an issue. Likewise, 26% of security respondents reported difficulty in drawing cohesive insights from all integrated tools, with two-thirds (66%) saying they wanted to consolidate their toolchains as a result.
The study indicated a growing awareness of security as a shared responsibility among DevSecOps teams, with 71% of security professionals surveyed reporting that developers were capturing a quarter or more of all security vulnerabilities — up from 53% in 2022.
A trend in “shifting left”
The report highlighted a shift towards cross-functional collaboration, with 38% of security professionals reporting being part of a team focused on security, compared to 29% in 2022.
According to GitLab, this trend reflects the industry’s move toward incorporating security earlier in the software development lifecycle, known as “shifting left.” This approach enables development, security and operations teams to work together more efficiently, rather than operating in silos.
With 85% of security respondents reporting the same or lower budgets than in 2022, tech teams are having to stretch their dollars further than ever.
THIS: Why shifting left is at the top of the agenda for DevSecOps
In the press release about the report, David DeSanto, chief product officer at GitLab, said DevSecOps tools and methodologies could enable organizations to achieve better security and efficiency by consolidating toolchains and reducing costs, ultimately freeing up development teams to focus on mission-critical responsibilities and novel solutions.
“Organizations globally are seeking out ways to do more with less. This means that efficiency and security cannot be mutually exclusive when identifying opportunities to remain competitive,” said DeSanto.
“GitLab’s research shows that DevSecOps tools and methodologies allow leadership to better secure and consolidate their disparate, fragmented toolchains and reduce spend, while also freeing up development teams to spend time on mission-critical responsibilities and innovative solutions.”
THIS: Security teams aren’t the only ones struggling to do more with less.
The most important skills for security pros
As AI and ML become a more integral part of the software development lifecycle, organizations will need to ensure security teams are equipped with the right skills and tools to take full advantage of new technologies. However, GitLab found that AI and ML are competing with other high-impact areas as security professionals shuffle their professional goals.
THIS: Learn about the different DevOps careers and career paths
In 2022, security professionals identified AI/ML as the most important skill for furthering their careers — more so than both developers and operations professionals.
This year, while nearly a quarter (23%) of security professionals chose AI/ML as top skills, they placed more importance on soft skills (31%), subject matter expertise (30%) and metrics and quantitative insights (27%) — suggesting that professionals recognize the need for a well-rounded skill set to navigate modern security challenges.
Worries about how AI/ML will impact jobs
There is some resistance to the accelerating adoption of AI and ML in the software development cycle, which leaders will need to navigate carefully.
Much like in other industries, GitLab’s survey found that tech professionals worry about what AI/ML mean for their jobs: Two-thirds (67%) of security respondents said they were concerned about the impact of AI/ML capabilities on their role, with 28% saying they were “very” or “extremely” concerned.
Of those respondents who expressed concern, 25% said they were worried that AI/ML could introduce errors that would make their job more difficult. Meanwhile, 29% worried that AI/ML would reduce the number of available jobs, and 23% expressed concern that AI/ML would make their skills obsolete.
How leaders can empower DevSecOps
Invest in AI/ML training and tools
Organizations should prioritize equipping their security teams with the necessary skills and tools to effectively leverage AI and ML in their software development and security workflows, maximizing the benefits of automation and improving efficiency.
Promote cross-functional collaboration
Encourage a shifting left approach by fostering collaboration among development, security and operations teams, leading to a more streamlined and efficient software development lifecycle that incorporates security from the ground up.
Consolidate and streamline toolchains
Security professionals are using multiple tools, leading to additional complexity. Focus on consolidating and simplifying toolchains to improve efficiency, reduce friction and costs and enable security teams to focus on their key responsibilities.