DEVSECOPS PRACTICES AND OPEN SOURCE om c . MANAGEMENT IN 2020 5 b i g u th A SURVEY OF 1,500 IT PROFESSIONALS TABLE OF CONTENTS Introduction.................................................................................................................................................................................2 Section 1: Survey Highlights.......................................................................................................................................................4 DevOps and the secure SDLC....................................................................................................................................................................................................... 5 DevSecOps tools............................................................................................................................................................................................................................. 7 Open source selection and governance..................................................................................................................................................................................... 8 Open source security and patching...........................................................................................................................................................................................10 m o Open source project sustainability............................................................................................................................................................................................12 Conclusion: Developing security in depth for the SDLC.........................................................................................................................................................13 c . 5 Section 2: Full Survey Results..................................................................................................................................................15 b u Respondent demographics.........................................................................................................................................................................................................16 Questions........................................................................................................................................................................................................................................18 h t i g DEVSECOPS PRACTICES AND OPEN SOURCE MANAGEMENT IN 2020 | synopsys.com | 1 m o b u h t i INTRODUCTION g DEVSECOPS PRACTICES AND OPEN SOURCE MANAGEMENT IN 2020 c . 5 | synopsys.com | 2 In August 2020, the Synopsys Cybersecurity Research Center (CyRC) and Censuswide, an international market research consultancy, conducted a survey of 1,500 IT professionals with DevSecOps as part of their role and who work in cyber security, software development, software engineering, and web development. The group was recruited to take part in an online survey focused on DevSecOps practices and open source use. Participants came from the United States, the United Kingdom, Finland, Germany, China, Singapore, and Japan, with at least 50 respondents from each country. The survey is part of CyRC’s ongoing research into cyber security practices and is intended as a complement to Synopsys’ annual Open Source Security and Risk Analysis (OSSRA) report. This survey reports on the tools organizations in the business of building software are employing to integrate open source management into their DevOps practice. As the 2020 OSSRA report1 details, almost 100% of the 1,200+ audited codebases in that report contained open source components or libraries, with open source making up 70% of the codebases themselves. Gartner’s report, “Market Guide for Software Composition Analysis,”2 relates that due to the prevalence of open source in modern software development, corporate interest in software composition analysis (SCA) tools used to manage open source is growing rapidly, with inquiries to the analyst firm on the topic increasing nearly 40% from 2019 to 2020. m o b u h t i g c . 5 While the OSSRA report provides an in-depth snapshot of the current state of open source security, compliance, and code quality risk, this survey reports on the tools organizations in the business of building software are employing to integrate open source management into their