DevSecOps is struggling with a low adoption rate, yet those who have implemented the process praise its impact — notably in incident detection efforts and incident response and remediation times, according to a new report from observability platform provider Mezmo and Enterprise Strategy Group (ESG). 

Mezmo and ESG's "Leveraging Observability Data for DevSecOps" report found that of the 200 DevOps and IT/information security professionals surveyed, only 22% of the organizations they represent have developed a formal DevSecOps strategy. However, the study notes that there is a potential for growth in DevSecOps adoption, and 62% of respondents' organizations are actively evaluating use cases or have plans to implement DevSecOps. 

DevSecOps crusaders have reaped its benefits — 95% of respondents who have developed a DevSecOps strategy in integrating security into software development lifecycle processes reported a positive impact on accelerated incident detection, and 96% said this impact in response efforts as well.

Overall, more than half of respondent organizations using DevSecOps tools and processes had a significant reduction in incidents that occur in production, according to the report.

Still, more companies are prioritizing establishing a culture of collaboration and encouraging developers to leverage security best practices over adopting DevSecOps tools.

Some of the challenges holding up DevSecOps success are problems with data volume, collection, and analysis, according to the report, which begs the need for "better tooling to generate actionable insights."

Of those surveyed, 84% believe that getting developers the right data and tools is key for DevSecOps success. As organizations increase the "speed and volume of releases to serve more customers," vast volumes of data are being collected. A majority of respondents (54%) use several terabytes per month.

"To move fast and build secure applications, companies need solutions that help them to fully harness the value of their data to drive better results," Mezmo CEO Tucker Callaway explained. "To achieve this, teams are looking for observability solutions that are flexible and scalable, with automation features to help improve data collection and analysis."

The average time it takes to triage and understand security incidents is 17.5 person-hours, the report highlights, and 82% of companies would like to reduce that figure. Yet, due to the high cost of storage and retention, 69% of organizations do not capture certain data sources.

This practice is problematic since an organization's incident analysis and response is slowed and less thorough without total visibility. Nearly all respondents use multiple tools to get the most of an organization's data, yet not having a "single source of truth" holds back security teams. 

Most companies surveyed (87%) use open source tools as part of their observability stacks, but 84% believe it will become challenging to manage, adopt, and scale with these solutions, according to the report.

However, DevSecOps are slowly but surely making its rounds in the security industry. Organizations are looking for a solution that scales to harness their data to drive better results entirely, and 98% of respondents are likely to investigate a managed solution over the next 12 months.