Gartner recently posted their Top 10 Strategic Technology Trends for 2018 and DevSecOps practices made the list.
Here's what they said, "Traditional security techniques using ownership and control rather than trust will not work in the digital world. Infrastructure and perimeter protection won’t ensure accurate detection and can’t protect against behind-the-perimeter insider attacks. This requires embracing people-centric security and empowering developers to take responsibility for security measures. Integrating security into your DevOps efforts to deliver a continuous 'DevSecOps' process."
The Gartner blog details what we've been discussing for quite some time now at Sonatype and that is: traditional security practices can't keep up in a DevOps world. Bolt-on practices at the end of the SDLC won't work. Analysis of applications that take eight to 24 hours to complete don't fit. Open source governance that delivers 90% false positives won't scale. And Dev, Sec, and Ops teams that maintain tribal conflicts, can't evolve to a better state.
When it comes to DevSecOps, we've been writing, organizing conferences, leading discussions, hosting meet-ups, and speaking at industry events on it for about four years now. That said, when your a small but fast-growing technology firm, those early days are often missed by the mainstream; but in 2017, Gartner's coverage really picked up steam. Gartner reported over 600 analyst inquiries on DevSecOps in the past year. They've published numerous reports on DevSecOps led by folks like Neil MacDonald, Ian Head, and Mark Horvath.
Make no mistake. Gartner did not make the DevSecOps market. They are reporting on what they hear from their clients in the market and providing expert guidance to help those customers navigate their own transformations. When Gartner starts regular coverage of a topic, you know that it's gone mainstream.
Whether you are just getting started on your DevSecOps journey or started heading down that path years ago, Gartner offers sage advice in their paper, 10 Things to Get Right for Successful DevSecOps. It offers great perspective and is worth reading.