Ignore security for the sake of a deadline, and you will be the reason for the next big data breach headline.

Important Results of the Survey:

1. Dangerous Software Downloads

   71% of businesses permit developers to download software packages straight from the internet, which is risky as these packages may contain malware or other hidden flaws.

   Hackers can use this to target businesses; it’s similar to installing arbitrary software on your laptop without verifying its security.

2. Inadequate Security Scanning

   Less than half (43%) of businesses look for security flaws in both the source code and the finished product.

   40% of businesses may be employing dangerous code without even realising it because they don't even know where all of their software comes from.

3. An abundance of security tools, but do they get used?

   Although 49% of businesses utilise ten or more security tools and 73% have seven or more, many of these technologies produce false alarms, which developers choose to ignore.

   It's similar to installing several antivirus apps on your computer but never using them since they constantly generating false alarms.

4. Vulnerabilities and Revealed Information

   More than 33,000 serious vulnerabilities—bugs that hackers might exploit to harm systems—were discovered by security experts in 2024.

   But only 12% of them were truly hazardous, indicating that businesses frequently squander time addressing issues that pose no harm.

   More than 25,000 secrets and tokens were made public in public repositories like Hugging Face and Docker Hub, where developers exchange software and AI models (think of it as making your bank account password publicly visible).

5. The True Obstacle: Collaborating with Developers

   Increasing the number of security tools won't solve the issue.

   Rather, organisations must educate a small number of developers about security so that they may educate others and enhance the culture of security as a whole.

Why Does DevOps Care About This?

• DevOps emphasises automation and speed in software development.

• However, if security is neglected, businesses may release software that has significant flaws that hackers might take advantage of.

• Instead of adding security as an afterthought, DevSecOps makes sure that it is incorporated into the process from the beginning.

What Does This Teach DevOps Engineers?

1. Security scanning is crucial; get proficient with tools like SonarQube, Snyk, and Trivy to scan code and containers.

2. Strike a balance between efficiency and security—too many false alarms might cause "alert fatigue," which causes people to overlook actual problems.

3. To establish DevSecOps as a normal procedure, DevOps engineers should educate themselves and others on fundamental security concepts.

Naturally, it is up to each organisation to decide how best to implement DevSecOps workflows. However, considering how fragile many software engineering workflows are already, the challenge extends far beyond merely providing some extra scanning tools to application developers, who are almost always going to have limited security expertise.

Reference: