For years the software testing life cycle has felt like the enemy of DevOps teams, and for good reason. For the last three years, our annual survey participants have all named/blamed testing as the number one reason for release delays.
The trouble with testing
Let’s just say it: testing is hard.
A key component of successful DevOps, testing is apparently the hill many teams die on. Over the last few years, testing has been identified as the primary cause of delays. The trouble with it boils down to essentially two issues: there are never enough tests done and automating testing can be tricky.
But the tide is turning as we are seeing a significant turnaround in sentiment this year. The latest 2021 Global DevSecOps Survey of nearly 4,300 respondents from around the world found DevOps teams dramatically increased the pace of technology adoption which allowed them to take larger steps toward DevSecOps, increased release speeds and advanced automation.
Within this, there were several positive signs that the software test life cycle, like many other components of DevOps, is beginning to mature. For starters, almost 25% of survey respondents said they have achieved full test automation, more than double the number reported last year. And 28% said their teams are at least halfway to full test automation.
Releases are faster than ever
Now, more than ever, success in business relies heavily on the release speed of their software. The COVID-19 pandemic accelerated the broad adoption of remote work, which in turn energised teams to focus on embracing cutting edge DevOps technologies such as Kubernetes, shift-left security and machine learning/artificial intelligence (ML/AI).
This year, 84% of developers said they are releasing code faster than ever before. This increase in release speed is due to the addition of tools like source code management and Continuous Integration and Continuous Delivery (CI/CD).
Nearly 12% of respondents said adding a DevOps platform has sped up the process. Overall, 57% of respondents reported code is released twice as fast – a big increase from last year’s 35% – and 19% said code gets released 10 times faster.
Security remains a pain point
Furthermore, continuing a trend the 2020 DevSecOps report indicated, developer roles continue to shift left, taking on more responsibility for what were traditionally operations and security related tasks.
In 2021, more than 70% of security professionals report their teams have moved security considerations earlier into the development, or ‘shifted left’ — an increase from last year’s 65%. Research indicates this broad increase in shifting left is due in part to an increase in developers conducting static and dynamic application security testing.
Fifty-three percent of developers reported running static application security testing (SAST) scans (a 13% increase from last year) and 44% of developers reported running dynamic application security testing (DAST) scans (a 17% increase from last year).
And yet, when we asked developers what they need to be doing more of, the vast majority of responses mentioned testing, whether it was pen, smoke, A/B, manual or simply test automation. For all the forward momentum, 25% of teams are either just beginning to consider test automation, or have none at all.
Make testing proactive, not reactive
The biggest hurdle to overcome on testing moving forward will be switching from reactive to proactive mode.
Over 42% of respondents felt testing is happening too late in the process, and nearly the same percentage said it was a struggle to unpack, process, and fix vulnerabilities. Almost 37% said tracking the status of the bug fixes was challenging, and 33% found remediation prioritisation difficult.
Like last year, these results indicate a reactive approach to security in the development process. It also indicates the importance of integrating DevSecOps in development cycles, because issues raised in testing that create bottlenecks could be caught and addressed earlier in development.
Overall, the past year has witnessed a major step towards putting the ‘Sec’ in DevSecOps. While greater strides toward implementing DevSecOps practices have been made this year than in years previous, there is more work to be done when it comes to organising and coordinating responsibility between security, developer and operations teams.
What we also know is that business expectations around ‘speed-to-innovation’ are growing. The ability for an organisation to balance the necessary trade-off between speed and security will require an adoption of ‘shift-left’ processes and tools that seamlessly enable this for both developers and security teams.
Anthony McMahon, Regional Director, APAC and Japan at GitLab