Survey Results: DevSecOps Drives Efficiency, Security, and Agility

Recently, Chef commissioned a survey of security professionals in order to provide greater insight into what security leaders are most concerned with and how collaboration with I&O (Infrastructure & Operations) is needed within enterprise-sized organizations.

We sought out to determine how important DevSecOps is within the Software Development Life Cycle (SDLC), the importance of Audits within DevSecOps and the overall impact DevSecOps is having on enterprises.  Here is what we found out:

  • Security automation speeds software delivery and improves quality – DevSecOps adopters are 3x as likely as non-adopters to see security as something that speeds software delivery and most organizations (84%) agree security improves quality as well.
  • Audits present an enormous automation opportunity – audits are time-consuming taking 2 months to complete on average and are also considered the top pain point addressed by DevSecOps.
  • DevSecOps practices are becoming widespread – 78% of organizations surveyed have adopted or are planning on adopting DevSecOps practices.

For more stats from the survey results download our Survey Whitepaper.

How important is DevSecOps in the SDLC?

We found out that Security is part of the broader IT organization (76% of respondents confirm) and not part, and is considered a CRITICAL part of the Software Development Lifecycle by a majority of respondents. While Security’s importance is unquestionable, it’s interesting to note that the adoption of security practices is not as commonplace as we’d expect.

Organizations that have adopted DevSecOps practices, have assessed for security compliance in every stage of the SDLC, in stark contrast to the non-adopters who concentrated assessment in Plan, Test and  Deploy.

Interesting that despite frequent security/compliance assessments so many applications are frequently released with vulnerabilities, with nearly three-quarters of companies releasing flawed applications more than once a year.

Importance of Security Audits

Collaboration between all teams involved in security audits; Development, Security and Operations are very strong, with the majority of respondents (93%) indicating a good or excellent collaboration among the teams. 

The average security scan takes about 5 hours to complete, with security audits taking as long as 2 months on average to complete, where 71% of respondents confirm they take more than a month to complete an audit.

Security teams are generally efficient in providing audit feedback and Dev and Ops teams are highly confident in the accuracy of their feedback. Most companies effectively integrate the security feedback, but there is room for improvement since only 28% believe they are extremely effectively integrated.

Impact of DevSecOps

DevSecOps impacts the pace AND quality of the software delivered. The survey results showed that 47% of adopters believe DevSecOps increases their speed with 42% of non-adopters say it slows them down. As far as quality is concerned, 84% of respondents believe DevSecOps improves the quality of the software delivered.

Most organizations have adopted or are considering adopting DevSecOps, with 78% of respondents confirming this; and with the most common objection to adopting these practices being money, time and resources. DevSecOps and automated security and compliance testing adoption is a recent phenomenon; with most organizations having done so within the past 2 years.

Chef for DevSecOps

Chef offers a portfolio of solutions to automate infrastructure configuration, security, compliance, and application delivery to bring continuous automation to the SDLC. Chef is now among the leading companies offering solutions to enable DevSecOps.

Our flagship compliance offering, the Chef Effortless Infrastructure Suite, allows organizations to detect and correct for security and compliance at different stages of the SDLC.

We automate configurations and ensure that infrastructure remains consistent, compliant, and secure throughout its lifetime, even in complex, heterogeneous, and large-scale environments.

Chef allows organizations to define “everything as code”—compliance policies, infrastructure, and application dependencies—providing a common DevSecOps language that can be shared, scaled, and automated.

Chef solutions include pre-built content to enable compliance to industry-standard security benchmarks such as CIS (Center for Internet Security) and DISA STIGs and are customizable to any enterprise-level compliance standards.

Chef’s “everything as code” approach speeds software delivery, improves adherence to security and compliance standards, and significantly reduces time spent on audit and remediation activities

What Next

For more information on the survey results download our Survey Whitepaper.

For more information on Chef’s DevSecOps capabilities visit

To view the survey results webinar on-demand visit:


Alan Baptista

Alan is a Product Marketing Director at Chef, working remotely from Southern California. His career of over 20 years has been in product marketing, sales operations and international business roles for enterprise software, telecommunications and government space at organizations such as CA Technologies, Experian, InterVoice and US Commerce Department. When not helping customers tell their success stories he enjoys traveling and exploring Sous-Vide cooking and BGE Grilling.