Key Findings

ITWeb, in partnership with Accenture and Micro Focus, conducted a DevOps survey during September 2020 to find out how companies were approaching threat modelling in their application development projects.

A total of 216 valid responses were captured - 40% of respondents are at exec or mid management level, 44% are at staff level and the rest are software consultants.

Here are the key findings:

  1. When asked how they approach threat modelling in their application development process, 39% of respondents indicated that all applications went through threat modelling and attack vectors were addressed during implementation. However, 21% reported that threat modelling was not done in the project at all.
  2. 24% said their team had basic secure coding skills but needed guidance to code security concepts in-depth, while a further 19% reported that “some developers are trained with security coding practices” but not all.
  3. One third of respondents said real time collaboration exists between security engineer and software engineer teams. But in 13% of the participating companies, there is no collaboration as software and security teams mostly operate in silos.
  4. Nearly half of the respondents (46%) believe standards are well defined in their project team and team members understand and are able to implement them.
  5. Asked if the app development project follows any standard metrics or KPIs, 28% said they followed internally defined metrics; while 26% have industry standard metrics applied in the project.
  6. Security is monitored and tools are used for both monitoring and reporting by 36% of participating software teams.
  7. 32% reported that only key/strategic projects are scanned for open source component analysis. 28% do it only on request.
  8. Nearly a quarter (24%) say that all code - both application and infrastructure - is considered for automated security testing.
  9. When asked how feedback is provided to developers on issues found in scans, 26% said that scan reports are sent to developers directly with no automation in the process.
  10. Just about a third (31%) indicated that software component analysis is integrated in CI server as a job in the DevOps pipeline.