A+ for automation

DevOps report card: Security must be part of the software delivery cycle

Sarah Schlothauer
© Shutterstock / Terrance Emerson

Puppet’s State of DevOps: Industry Report Card rates different sectors, from finance to retail, on how well they have integrated security into their DevOps practices and their DevOps maturation level. This report reveals some tricks of the trade. See what different industries struggle with and where each excels and find out what the most successful organizations have in common.

After surveying nearly 3,000 tech and professionals from around the world, Puppet released its findings from the State of DevOps: Industry Report Card. The survey examined how different industries rate in DevOps maturation and security integration.

One of the key findings of the survey is how much of an impact security integration has on not only software delivery cycles, but on vulnerability remediation as well. Of course, transformation is not easy and security integration can be split into a series of levels. Reaching the next level of security requires time and money, disrupts workflow, and in some industries, challenges practices that have been in place for decades.

Alanna Brown, Sr. Director Community and Developer Relations at Puppet said:

Integrating security into your DevOps practices can be challenging, but when done correctly is proven to pay off. Security should not be an afterthought; it must be a shared responsibility across teams during every stage of their software delivery lifecycle.

This study examined the following industries: Financial services and insurance, government, retail, tech, and telecommunications. How did each industry fare and which ones made the grade?

SEE ALSO: 2020 IT skills: what we learned from 213,782 coding tests

Financial institutions gets a harsh grade

According to the survey, financial services are the worst at integrating security into DevOps practices. One of the reasons for this is that many financial institutions have been around for decades, and thus, disruption is difficult. Developers are also likely dealing with huge amounts of tangled technical debt and legacy codebases.

A majority of respondents (67%) from financial institutions agreed that their security team could prevent unplanned work if only it was included earlier. Financial institutions also reported a lack of security experts embedded in delivery teams.

The struggles financial services face teach us that security experts and automation should be given high priority.

Retail deploys on time

Retail industries stand out from the crowd in a few instances. They were the fastest at resolving critical vulnerabilities; 53% of critical security vulnerabilities were remediated in less than a day. Retail also saw a high ability to deploy on-demand.


Retail leads in the time it takes to remediate critical security vulnerabilities. Source: Puppet State of DevOps Industry Report

A large number of retail firms consider themselves to be at a high level in their DevOps journey.

Despite this, retail is also notorious for security breaches. The survey revealed that retail industries are less likely to integrate security in late stages of development and need to conduct better security testing practices.

Leading DevOps leadership

Unsurprisingly, the tech industry scores the highest when it comes to practices such as continuous delivery, DevOps maturation, and integrating security into software delivery cycles. However, retail scores better than the tech sector when it comes to container image deployment and testing.

Tech companies have a higher degree of leadership support compared to other industries. 28% of tech companies reported that leadership always supports DevOps practices.

SEE ALSO: How machine learning is changing business communications

What do successful organizations have in common?

High-performing organizations, in particular, spent less time on unplanned work. Unplanned work ranges from emergency software deployments, patches, and reworking fixes. Because they spent less time quenching emergency fires, they had more time to work on new features. Continuous delivery cycles and automation are ways of reducing unplanned work.

Viewing security as a shared responsibility is another key to success. Tech companies, in particular, have a higher average of seeing security as a concern that affects all teams and doesn’t stop at just the security team.

Download the report and see what other insights Puppet unveiled.

Sarah Schlothauer

Sarah Schlothauer

All Posts by Sarah Schlothauer

Sarah Schlothauer is the editor for She received her Bachelor's degree from Monmouth University, West Long Branch, New Jersey. She currently lives in Frankfurt, Germany with her husband and cat where she enjoys reading, writing, and medieval reenactment. She is also the editor for Conditio Humana, an online magazine about ethics, AI, and technology.

Inline Feedbacks
View all comments