Application security, Cloud Security, DevSecOps

Software developers warm up to automated testing as security, cloud rise in importance

A GitLab employee workstation. (GitLab’s website)
A GitLab employee workstation. The company recently released an annual survey on software development trends. (GitLab's website)

Developers are frustrated about the sluggish pace of testing code for security and functionality and are increasingly incorporating automation and machine learning to ease workloads, according to results from an annual survey on software development trends from GitLab.

The survey picks up on the continuing problem that developers face around testing the past few years, with a majority of respondents saying delays due to code testing and review process was a frequent source of delay in the development process.

One specific piece of feedback from a customer noted that “testing delays everything.” Another complained that their software delivery teams passed testing responsibilities to their quality assurance employees in lieu of writing end-to-end testing suites, something they said has led to “very long” bottlenecks when shipping code to production. Other complaints highlighted how their employees do not like reviewing code and find it to be “a chore.”

It is perhaps unsurprising then that automation – viewed as a promising pathway for improving the speed of testing and scanning code – is being steadily incorporated into more of the software development process. Fifty-six percent of respondents said they are fully or mostly automated now, a jump of 10% from the previous year. A quarter say they have fully automated testing environments, while three out of four said they use some form of machine learning, artificial intelligence or bots to conduct testing and code reviews, a 35% increase year over year.

However here too there are complications, with developers expressing frustration about the technical limitations and lack of practical automation options for parts of the code testing process.

“The strongest light at the end of the testing tunnel may be found in the use of artificial intelligence/machine learning,” the report states, noting that adoption of such tools has more than doubled over the past year and a substantial number of their customers say it is the most important skill they could learn for their future careers.

The sentiments point to growing acceptance within the developer community that security, like software development, is an iterative and continuous process. While “DevSecOps” has been around for decades, it’s clear that many organizations have yet to integrate the concept in part or in whole.

“The nature of a zero-trust system is that security is continuous and it’s checked all the time,” said TJ Jermoluk, CEO of Beyond Identity, which works to build passwordless identity and authentication services into the software updating process. “You have to move from being bound to checking security at the perimeter of things to checking it at everything…at every single point where any form of transaction is done, whether its access to a database or an application or checking in source code.”

One of the biggest changes from previous years is around adoption of Kubernetes, the open-source platform for automating cloud-based containers, workloads and services that can also be used to conduct end-to-end code testing and review. Last year, just 38% of security personnel reported using the platform, with 50% saying it wasn’t part of their process. This year, a plurality said they now use it to test code in their cloud environments (46%) and just 37% said they don’t.  

Other tools like static and dynamic attack surface testing saw big jumps in use as well.

The survey was conducted on 4,294 GitLab customers. While it drew from multiple industries, disciplines and regions, the most common respondent was male (81%), a software developer or engineer (41%) who was located in Asia (50%).

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.
Derek B. Johnson

Derek is a senior editor and reporter at SC Media, where he has spent the past three years providing award-winning coverage of cybersecurity news across the public and private sectors. Prior to that, he was a senior reporter covering cybersecurity policy at Federal Computer Week. Derek has a bachelor’s degree in print journalism from Hofstra University in New York and a master’s degree in public policy from George Mason University in Virginia.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds