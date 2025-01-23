Friction is still a challenge for DevSecOps

Whether you perceive friction between development and security testing to be an impediment or not often depends on your role in the organization. Of the AppSec team members who responded to the survey used for “Global State of DevSecOps” report, 65% felt that that testing impeded pipelines “moderately” or “severely.” While the report didn’t survey why they feel this way, we can speculate that it’s due to their proximity to the testing process, or potentially because they’re feeling pressure to accelerate review processes. Since they are closest to the task, they face the highest scrutiny for its efficiency.

Of the development and engineering team members who replied to the survey, 58% share the sentiment of their AppSec counterparts. It is, however, important to consider that an additional 12% of the surveyed developers and engineers report that they just don’t have enough visibility into security testing to know what’s going on. Were they to have greater visibility into security testing processes, it is quite possible that they, too, would perceive AppSec testing as an impediment to pipelines. And this lack of visibility makes concerted DevSecOps initiatives more difficult to implement since contributors are unable to close feedback loops or optimize development and testing efforts.

The report also tells us that C-suite respondents (CTOs, CPOs, and CISOs) perceive testing as a drag on velocity. Of those surveyed, 51% felt that DevSecOps “moderately slowed down” velocity, while 18% perceived that it “severely slowed down” pipeline development. These executives share the sentiments of their corresponding teams, perhaps with a greater sensitivity to inefficiencies in DevSecOps workflows because of their role in guiding the strategy for evolution and improvement.

It’s important to consider that these responses are a clear representation of perceived impediment—an inherently subjective metric. As such, the actual experienced friction may be lesser or greater than these reported levels. Organizations should, therefore, work toward providing greater visibility into risks and inefficiencies across the pipeline. This will ensure that action is being taken to address actual friction, instead of wasting effort or money addressing issues that are perceived to be more severe than they are.