south african devsecops survey, 2019 · cloud, microservices, artificial intelligence (ai) and...

SOUTH AFRICAN DEVSECOPS SURVEY, 2019

As digital disruption and transformation take hold across industry sectors and economies, speed-to-market pressure is growing. However, many organisations are struggling to ramp up transformation to deliver value at the velocity of business change—securely. South African businesses are among them.Organisations in South Africa are adopting exponential technologies like cloud, microservices, artificial intelligence (AI) and blockchain, along with agile development methodologies to keep pace with customer demand and remain competitive. But more tech and agile IT is not translating into more value for many of them.

How can companies transform, innovate and deliver faster—and remain secure?Our South African DevSecOps Survey shows that the majority of companies are facing an innovation achievement gap—slow and narrow adoption of new technologies and approaches, and failure to integrate security into development and operations (DevOps) practices limits innovation and business potential, and makes organisations increasingly vulnerable to risk.

How big is that gap? It’s significant.

DEVSECOPS CAN ACCELERATE TRANSFORMATION, INNOVATION AND REVENUE GROWTH

South African organisations are at risk.Our South African DevSecOps Survey, conducted in collaboration with Microfocus, posed key questions to 3,500 South African IT professionals across eight key industry sectors—including IT, financial services, manufacturing, retail and telecommunications—about their application landscapes, their development practices and security strategies.

The survey offers valuable insights. While the majority of respondents note that they are developing for the Web and mobile, use of cloud technologies and agile methodologies is low, and security is not an integral part of development. Slow technology adoption is matched by the relative lack of prioritisation or recognition of the growing cyber security threat.

Results show that:

• Adoption of agile in DevOps initiatives, at 32%, is low.

• Only 35% of respondents fully integrate security into DevOps projects and only 38% of development teams collaborate with security teams.

• Over 50% say they have run into a security breach in the production stage of an application.

• 74% don't do regular scheduled external tests.

• 74% indicate a time frame of longer than one year to invest in DevSecOps

How can South African companies address this risk, accelerate transformation, fully leverage new technologies, innovate at digital speed and drive future competitiveness without compromising security?

Our Future Systems research reveals that companies that adopt a ‘living systems’ approach and excel at scaling technology innovation can generate double the revenue growth.

It will require:

• Alignment of business and IT to create integrated agile teams;

• Implementing a continuous innovation approach to deliver value at speed; and

• Transforming talent and teams to be systems-centric and engineering-led to deliver change at scale.

Security is a critical part of living systems. The security operating model will also need to change to ensure security is baked into the delivery value chain, getting it right from the start.

That’s DevSecOps.

74% indicate a time frame of longer than one year to invest in DevSecOps

5South African DevSecOps Survey, 2019

9%5%

8%

12%

10%5%2%5%

6%2%

1%

33%

Application/ Infrastructure Architect

Application Director/ Manager

DevOps Engineer

Head of Development/ Developer

IT Director/ Manager

Operations/ Production Manager

Perfomance Engineer

Product/ Project Manager

QA Manager/ Tester

Scrum Master

Security Manager

Service Desk Manager

Other

Development team rolesThe survey was targeted at development teams. The relative lack of security professionals among the respondents—only 2 percent—was noticeable.

Application profilesOf respondents, more than 75 percent noted that they have customer-facing applications. A high percentage of respondents (72 percent) noted that they are developing Web applications. However, 69 percent also noted that they are developing client/server apps, which may indicated that every Web instance connects to hybrid architectures (old and new). In addition, the mobile native app development noted by 38 percent of respondents is comparatively high.

What type of applications do you develop? (Mutiple choice)

SOUTH AFRICAN DEVSECOPS SURVEY - RESULTS

Web

72%

Mainframe

15%

Client/Server

69%

CRM

32%

ERP

23%

MobileNative

38%

What is your role?

6 South African DevSecOps Survey, 2019

43%

32%

Adoption of A

gile

Agile Planning and

Governance

Agile Portf

olio

Management

Applicatio

n Security

21%

39%

51%

39% 37% 37%

24%

40%31%

Automation of D

eploy

Continuous D

elivery A

Continuous I

ntegration

Functional a

nd Perform

ance

Release O

rchestratio

n

Software Config

uration

Support to build

a Dev

Risk profiles Over 50 percent of respondents say they have run into a security breach in the production stage of an application. However, 74 percent say they don't do regular scheduled external tests. This calls into question the processes in place to validate these organisations’ security postures.

DevSecOps adoption Only 35 percent fully integrate security into DevOps projects and only 38 percent of development and audit teams collaborate with security teams. However, respondents are well aware of the benefits of DevSecOps to protect the organisation from cybercrime, comply with regulatory requirements and increase organisational responsiveness. Despite this, 74 percent indicate a time frame of longer than one year to invest in DevSecOps.

Application deployment profilesAdoption of agile in DevOps initiatives is low (32 percent) and manual release processes are still prevalent but there is keen interest in adoption of application security (51 percent).

What DevOps initiatives have you already implemented or do you wish to implement?

How would you describe the collaboration between the development and audit security teams?

What are the advantages of DevSecOps processes?

17%

No collaboration

17%

The security directitives are

implemented by the developers

alone

28%

The security team contributes

occasionally to project groups and

at checkpoints

38%

Both teams work in close collaboration

throughout the project

12%

Not applicableActive prevention of cybercrime

Conforming to security /

compliance requirements

Fast recovery of production errors

Increased responsiveness to

modifications

Less time spent in testing

Reduction in the number of

post-deployment incidents

Zero perfomance related incidents

12%

39%30%

26%

41%

51%54%


LEADERS • People-led problem solving• Interoperability and

consistency drive system design

• Connected organisational silos; IT and business co-create

LAGGARDS • Technology-led problem

solving• Frequent friction from

incompatible systems and data

• Siloed, disconnected business units/processes

When it comes to technology adoption, leaders are working at scale; laggards are still working in silos.

Our research shows that companies that are getting it right are taking a strategic approach, introducing future-capable systems that are boundaryless, adaptable and human-centred.

To secure the latest technology, leverage the latest technology!Leaders don’t use cloud as a data centre, they use it catalyse innovation; they don’t have a legacy IT culture and inflexible architecture with interlayer dependencies, they introduce an agile IT culture and decoupled, flexible architecture. And when it comes to security, leaders don’t have an inconsistent approach to risk with patchwork or after-the-fact security management; their data is reliable and security is proactively and systematically integrated into development lifecycles.

As a result, leaders have good IT and business alignment.

LIVING SYSTEMS –AN INNOVATION MULTIPLIER



Where laggards are constrained by legacy solutions and processes, incompatible systems and data, and vulnerabilities that threaten delay, compromise or loss, leaders have ‘living’ systems that are able to respond, at pace, to market dynamics.

Living systems are innovation multipliers.

Our global Future Systems research quantifies their advantage and the innovation gap. Leaders, those that are evolving to future systems—living systems—perform better financially: they are growing revenue at more than double the rate of laggards.

These leaders master technology adoption. This holds true for the South African sample of our global Future Systems research.

For laggards, the gap continues to grow. Laggards surrendered 15 percent in foregone annual revenue in 2018, and stand to potentially miss out on an astonishing 46 percent in revenue gains by 2023 if they do not change their enterprise technology approach.

That’s significant.

In South Africa, many companies are just getting started with digital. However, they are quickly realising that if they don’t radically change the way they deliver IT systems, they are not going to reap the full benefits of digital transformation.

Leaders master technology adoption

37%

32%

32%

37%

16%37%

96%37%

Laggards

Edge/Fog Computing

Bottom-Up AI (e.g. deep learning, machine learning)

Data Lakes (data repository)

Cloud Native Applications (custom)

Blockchain

Top-Down AI (e.g. expert systems, logic and inference engines)

Open source

Cloud laaS/Infrastructure as a service

Cloud PaaS/Platform as a service

Cloud SaaS/Software as a service

Big data analytics

Internet of Things (IOT)

Streaming/real-time data

100%

Leaders

96%37%

96%37%

45%100%

96%37%

96%50%

87%39%

91%39%

91%45%

50%100%

53%96%

68%100%

39%Robotics*

DevSecOps

FaaS/Functions as a Service

RPA (Robotic Process Automation)

DevOps automation/CI/CD

Microservice Architectures

Containers, Docker & Kubenetes

React/Event-driven architectures

Hybrid Cloud

3D Printing*

Serverless Computing

NoSQL databases (key-value, document, graph)

Extended Reality (AR/VR/MR)

87%16%

96%29%

24%

91%26%

83%37%

Distributed logs/event hubs

Edge/Fog Computing

* 3D Printing and Robotics only include the following industries: Automotive, Chemicals, Consumer Goods & Services: Energy (Inc. Oil & Gas): Health: High Tech: Industrial Equipment: Life Sciences: Metals and Mining: Retail

* Refers to: technologies used within the last year, more than a year ago, more than 3 years ago, or more than 5 years ago

100%

96%

96%

26%96%

21%96%

56%100%

91%

96%

100%

32%96%

96%


DevOps, a set of practices that combines software development and IT operations, bridges the gap between these two previously siloed functions, speeding up the development lifecycle and enabling continuous IT delivery. It brings automation, repeatability and agility. But its ‘fail fast’ and agile IT culture also introduces high-velocity, aggressive experimentation of ‘shippable digital products’ … and the more frequently code changes, the higher the risk of introducing security vulnerabilities into production.

As development teams work to drive speed and innovation across Web and mobile applications, security can seem more nuisance than necessity. This viewpoint is increasingly risky given today’s application and threat landscapes.

If you’re not infusing security practices into your development efforts from the early stages you are setting the stage for a risky, and potentially devastating, outcome.Historically, application security has been a discrete effort at the tail end of the development process. Many teams have tackled it as part of the testing phase with a goal of creating

barriers to guard against unauthorised access to applications, systems and data. Why is this dangerous?

For starters, the application landscape is changing dramatically and rapidly as single-channel, static applications give way to dynamic, multichannel digital services. Increasingly, systems are composed of services from a variety of sources—legacy applications, software-as-a-service and digital platforms—and deployed via the cloud across numerous application channels, including mobile devices and embedded systems. At the same time, the notion of versioning has changed, as we no longer consume a specific service. Instead, we consume the current build, which may be replaced by a new one tomorrow. In other words, it is increasingly difficult to safeguard highly dynamic systems using static security reviews.

Furthermore, vulnerabilities may not be uncovered until very late in development, leading to risk of delayed launch and potentially high remediation costs. So, as Web, mobile and other applications change more quickly—and become more integral to an agency’s operations—application security needs to evolve to keep pace.

APPLICATION SECURITY NEEDS TO EVOLVE TO KEEP PACE


To deliver secure working code using modern agile development methodologies, security can no longer be a horizontal capability within the IT organisation, disconnected from the systems delivery team.

DevSecOps infuses security throughout application development, operations and maintenance.

It must become a vertical mindset and skillset that is applied during each sprint and across every aspect of development and operations. This requires that every developer has a security mindset, understands best practices and is enabled with the capability to apply those practices as part of day-to-day development activities.

The benefits?

DevSecOps:

• Speeds up development by 20 to 30 percent.

• Lowers remediation cost by up to 30 times.

• 30 to 50 percent less staff are required.

• Makes security part of the business case.

How do organisations get there?

Tomorrow’s leaders are adopting living systems. They already have a big head start. And they will not be standing still.

SECURITY–A VERTICAL MINDSET

WantingFlexibility

Agile Developmentfixes This

DevOpsfixes This

DevSecOpsfixes This

Customers Development Operations Security

WantingChange

WantingStability

WantingSecurity

• Create flexibility• Improve time to market

• Create effective change• Add/Modify features

• Create flexibility• Improve time to market

• Create security• Protect customers and the enterprise


To scale innovations repeatedly and grow twice as fast as others, companies must evolve to living systems, doing what the top 10 percent of technology leaders do.

• Think in terms of systems and not individual technologies.

• Concentrate not only on technology adoption, but also on its penetration across the enterprise, to enable innovation transfer and a nimbler response to market conditions.

• Carefully consider how new technologies will interact with the people and processes already in place in their organisation, and they nurture talent in creative ways.

Moving from a traditional IT footprint to living systems requires a series of transformations:

EVOLUTION TO LIVING SYSTEMS

Business and IT alignment. Create integrated agile business-IT teams and eliminate ‘shadow’ IT teams; and increase business-outcome centricity by aligning IT SLAs to business KPIs.

Continuous innovation. Consider a platform approach and a fail-fast approach. Make use of microservices and decoupled systems to create a living architecture that can adapt to changing needs.

Talent transformation. Encourage system-centric rather than applications- and infrastructure-centric outlooks. Introduce build-to-operate approaches that include site reliability engineering and DevSecOps. Automate triage and fixes, and AI-enable teams to drive evolution.


Security is everyone’s responsibility—bake it into the delivery value chain!To balance business needs with security risks, start by focusing on these key areas:

SET AND ENABLE STANDARDS. A secure technical architecture integrated within the overarching business and security architecture is a critical first step to effective application security. Identify the training and tooling needed to enable developers to effectively implement standards in clear ways that can be validated in DevSecOps pipelines.

MODEL THREATS TO ASSESS RISK. A standard technical architecture is critical to security, but so is an understanding of the context in which an application will be used and the infrastructure in which the application will operate. Threat modeling considers that context to help develop appropriate safeguards and security testing approaches that can be included in automated testing scenarios.

TEST TO IDENTIFY VULNERABILITIES. Testing remains a key enabler of application security. Instead of saving it for the very end of the software development lifecycle, make it part of every development sprint. Static code analysis (SCA) uses basic testing to identify and flag areas with common mistakes. Complement that with static application security testing (SAST, or “white box testing”) to see if the application can be penetrated, as well as dynamic application security testing (DAST) to evaluate security when an application is running.

Today, security is everyone’s responsibility – it needs to be embedded into new operating models that are built for change. South African businesses must make this shift now to lead in the future.


Make the shift. Adopt DevSecOps. 87% of South African leaders do.

ABOUT ACCENTUREAccenture is a leading global professional services company, providing a broad range of services and solutions in strategy, consulting, digital, technology and operations. Combining unmatched experience and specialised skills across more than 40 industries and all business functions – underpinned by the world’s largest delivery network – Accenture works at the intersection of business and technology to help clients improve their performance and create sustainable value for their stakeholders. With 492,000 people serving clients in more than 120 countries, Accenture drives innovation to improve the way the world works and lives. Visit us at www.accenture.com.

Copyright © 2019 Accenture All rights reserved.

Accenture, its logo, and High Performance Delivered are trademarks of Accenture.

The views and opinions expressed in this document are meant to stimulate thought and discussion. As each business has unique requirements and objectives, the ideas should not be viewed as professional advice with respect to your business.

This document makes descriptive reference to trademarks that may be owned by others. The use of such trademarks herein is not an assertion of ownership of such trademarks by Accenture and is not intended to represent or imply the existence of an association between Accenture and the lawful owners of such trademarks.

AUTHORDavid ChristieManaging Director - Intelligent Engineering Services Lead, Accenture Technology, South AfricaContact: [email protected]

south african devsecops survey, 2019 · cloud, microservices, artificial intelligence (ai) and...

Documents