US Leads in Many DevSecOps Practices, France and Japan Trail
The U.S. is far ahead of the rest of the world in its adoption of several software and network security practices, according to the “Global State of DevSecOps 2023” report released in October by Synopsys. Countries like France and Japan should take notice and consider re-prioritizing future efforts.
Responsibility for security testing varies greatly depending on location. For instance, 53% of U.S. survey participants said developers are at least partly responsible for security testing, compared to 45% globally, an indicator of higher level DevSecOps maturity in the United States.
Similarly, reliance on cross-functional DevSecOps teams is also higher in the U.S. compared to global peers (45% versus 36%), as well as the use of external consultants (46% versus 33%), which are often used for penetration testing.
IT professionals in France were less likely to believe multiple teams were involved with security testing. In particular, only 37% of French survey participants said that an internal security team does infosec testing, as compared to 46% globally. Japanese organizations tracked close to the worldwide average in terms of developer and internal security responsibility for security testing.
However, like the French, Japanese respondents were also less likely to use cross-functional DevSecOps teams (France, 29% and Japan 28%) and external consultants (France, 28% and Japan 29%)/
Synopsys surveyed just over 1,000 IT professionals across a variety of industries, with at least 125 participants each from China, Finland, France, Germany Japan, Singapore, the U.K. and the U.S.
US Companies More Likely to Act Upon Threat Data
Both Japanese and French organizations are far behind the U.S. and global benchmarks for several practices associated with modern DevSecOps teams. Some key findings:
- While 46% of U.S. respondents said their organizations use Infrastructure as Code, only 22% of French and 15% of Japanese respondents said likewise.
- The dynamic is similar for application security orchestration and automation (ASOC), with this approach used by 40% in the U.S. as compared 20% in France and 18% in Japan.
- Meanwhile, the U.S. outpaces Japan in terms of utilizing threat and response data (40% versus 23%). Third-party vendors often provide threat and response data, which in turn assists with automated scanning, vulnerability management, and application security testing. Perhaps Japanese companies' use of third-party data will increase if and when they engage more external consultants and ASOC providers.
- Compared to both the global average and the U.S., Japanese respondents are significantly less likely to believe open source/third-party dependency analysis, (68%, 75% and 56%, respectively) and container security testing (67%, 80% and 50%, respectively) are very or somewhat useful.
Note that data from Chinese and German respondents also displayed wide variation for some survey questions. However, the differences may be due to an over-representation of tech/cybersecurity/application development companies from China and these industries being underrepresented among the Germans.