Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/sonatype-nexus-community/devsecops-community-survey
The question set used for the DevSecOps Community Survey
https://github.com/sonatype-nexus-community/devsecops-community-survey
appsec automation culture development devops devsecops pipeline security survey
Last synced: about 1 month ago
JSON representation
The question set used for the DevSecOps Community Survey
- Host: GitHub
- URL: https://github.com/sonatype-nexus-community/devsecops-community-survey
- Owner: sonatype-nexus-community
- License: mit
- Created: 2020-04-16T15:28:12.000Z (over 4 years ago)
- Default Branch: master
- Last Pushed: 2020-12-16T22:29:46.000Z (about 4 years ago)
- Last Synced: 2024-07-29T17:54:49.026Z (5 months ago)
- Topics: appsec, automation, culture, development, devops, devsecops, pipeline, security, survey
- Homepage: https://sonatype.com/2020Survey
- Size: 20.5 KB
- Stars: 2
- Watchers: 11
- Forks: 3
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
- Security: SECURITY.md
Awesome Lists containing this project
README
# DevSecOps Community Survey Questions
## Overview
As part of our Sonatype's commitment to DevSecOps and to determine the pulse of DevSecOps in our community, we've decided to open source the questions we used for the 2020 DevSecOps Community Survey.
The latest DevSecOps Community Survey results can be found at [https://sonatype.com/2020Survey](https://sonatype.com/2020Survey)
### Contributions
*We encourage you to contribute!*
Please feel free to clone this repository and create a pull request so we can review your suggestions and potentially include them in the survey. Suggestions that are accepted and merged into these survey questions will be used in next year's DevSecOps Community Survey.
If you need help creating a Pull Request, you can reference Github's documentation [here](https://help.github.com/en/github/collaborating-with-issues-and-pull-requests/creating-a-pull-request)
## The Survey
### Welcome! Let's start with a view of your organization.
*All answers are kept completely anonymous and private, we only share aggregated statistics. As a survey participant, you will receive a copy of the results once compiled into our final survey document (email address required).*
\* Identifies required questions
#### * 1. What is your industry?
Banking and Financial Services
Technology
Telecommunications
Manufacturing
Consulting Services
Government
Media and Entertainment Healthcare
Retail
Education
Insurance
Other (please specify)
#### * 2. How many of each role are in your organization? (It's okay to guess)
| | <10 | <25 | <50 | <100 | <500 | <1000 | <5000 | >5000 |
| ---------- | ------------------------- | ------------------------- | ------------------------- | ------------------------- | ------------------------- | ------------------------- | ------------------------- | ------------------------- |
| Developers |  |  |  |  |  |  |  |  |
| Security |  |  |  |  |  |  |  |  |
| Operations |  |  |  |  |  |  |  |  |
#### * 3. What title best matches your role?
Developer (Sr., Jr., Lead)
Team Lead
Architect (Sr., Jr., Lead, Security)
Build Manager
IT Manager
IT Operations
DevOps
Application Security
QA / Test
CISO / CTO / CIO / CEO / VP
Information Security
Product Owner
Other (please specify)
#### * 4. What is your level of seniority?
Individual contributor (e.g., Junior, Senior)
Manager (e.g., Director, Sr. Director)
Executive (e.g., VP, CIO, CISO, CTO)
#### * 5. What type of applications do you or your team generally work on?
Web
Microservice
Phone
Tablet
Wearables
Embedded
IoT
Desktop
#### * 6. What is your team's main motivation to implement security controls?
Customer requirements
Risk management
Compliance requirements
Competitive advantage
Improve quality of the code / application
Other (please specify)
### Culture
#### * 7. Tell us about your job satisfaction
| | Strongly Agree | Agree | Neutral | Disagree | Strongly Disagree |
| ----------------------------------------------------------- | ------------------------- | ------------------------- | ------------------------- | ------------------------- | ------------------------- |
| I am satisfied with my job |  |  |  |  |  |
| I would recommend this organization as a good place to work |  |  |  |  |  |
| I have the tools and resources to do my job well |  |  |  |  |  |
| My job makes good use of my skills and abilities |  |  |  |  |  |
| I can complete the work I set out to achieve |  |  |  |  |  |
#### * 8. What application security training is available to you?
E-learning (self-paced)
Secure coding/programming
Instructor led (online)
Instructor led (classroom)
What training?
#### * 9. Who causes the most friction on your team?
Developers
Security
Operations
Management
Executives
QA/Test
Product
None
Other (please specify)
#### * 10. How would you characterize developer interest in application security?
It's a top concern for our developers, they spend a lot of time here
Developers know it's important, but they don't have the time to spend on it
Developers do what they have to do, but it's another groups responsibility
It's not something our developers are focused on
#### 11. Who is your favorite mercenary?
Deadpool
### Development
#### * 12. Which development practices does your team use?
DevOps
DevSecOps
CI/CD (Automated, Not DevOps)
Waterfall
SAFe
Agile
Lean
#### * 13. How mature is your team's adoption of the selected development practices?
Very mature
Somewhat mature
Improving maturity
Not very mature
Not sure
#### * 14. How frequently do you or your team deploy to production?
With every change
Multiple times a day
Multiple times a week
Once per week
Every few weeks
Monthly
Multiple times a year
Yearly
#### * 15. How are you informed of application security issues?
Tooling
Customers
Manager/boss
Broadcast email
Security team
Chat
IDE Integration
Rumor
Media
#### 16. What's your favorite pizza topping? (Please Specify)
### Tooling
#### * 17. What security tools do you or your team use?
| | We Use Frequently, Critical | We Use Sometimes, Not Critical | Don't Use |
| --------------------------------------------------------- | --------------------------- | ------------------------------ | ------------------------- |
| CSA - Container and Infrastructure Security Analysis |  |  |  |
| DAST - Dynamic Application Security Testing |  |  |  |
| DLP - Data Loss Prevention |  |  |  |
| IAST - Interactive Application Security Testing |  |  |  |
| IDS/IPS - Intrusion Detection and/or Intrusion Prevention |  |  |  |
| OSS - Open Source Software Scanning |  |  |  |
| RASP - Runtime Application Self Protection |  |  |  |
| SAST - Static Application Security Testing |  |  |  |
| SCA - Software Composition Analysis |  |  |  |
| WAF - Web Application Firewall |  |  |  |
#### * 18. Are security tools properly integrated within your team's development pipeline?
| | Yes | No | N/A |
| --------------------------------------------------------- | ------------------------- | ------------------------- | ------------------------- |
| CSA - Container and Infrastructure Security Analysis |  |  |  |
| DAST - Dynamic Application Security Testing |  |  |  |
| DLP - Data Loss Prevention |  |  |  |
| IAST - Interactive Application Security Testing |  |  |  |
| IDS/IPS - Intrusion Detection and/or Intrusion Prevention |  |  |  |
| OSS - Open Source Software Scanning |  |  |  |
| RASP - Runtime Application Self Protection |  |  |  |
| SAST - Static Application Security Testing |  |  |  |
| SCA - Software Composition Analysis |  |  |  |
| WAF - Web Application Firewall |  |  |  |
#### * 19. Which description best fits the integration of your security tools with the DevOps pipeline?
Not integrated, it’s a completely separate process
Partially integrated, data flows from tool to tool but requires manual intervention
Fully integrated, but requires manual step
Fully integrated and automated
#### * 20. When does your team perform manual or automated security analysis?
| | Manual | Autonmated | Do not perform |
| --------------------------- | ------------------------- | ------------------------- | ------------------------- |
| Design/Architecture |  |  |  |
| Development |  |  |  |
| Upon Checkin |  |  |  |
| During Build |  |  |  |
| During QA/Test |  |  |  |
| Prior to Production Release |  |  |  |
| In Production |  |  |  |
| All of the above |  |  |  |
### Policy, Governance, and Compliance
#### * 21. Are governance and compliance automated in your team's development process?
Yes
No
Not Sure
#### * 22. Does your team automate separation of duties?
Yes
No
Not Sure
#### * 23. Does your organization have an open source governance policy? (i.e., rules about using good, not bad, components/libraries/binaries)
Yes
No
Not Sure
#### * 24. Do you follow the open source governance policy?
Yes
No
Not Sure
#### * 25. Does your team maintain an inventory of open source components? (e.g., a software bill of materials (SBoM))
Yes, for all components including dependencies
Yes, for for all components, but **NOT** dependencies
No
Not sure
#### * 26. Which one?
Star Wars
Star Trek
Who Cares?
### Challenges
#### * 27. Rate the following challenges with your application security processes
| | Very challenging | Somewhat challenging | Not challenging | N/A |
| -------------------------------------------------- | ------------------------- | ------------------------- | ------------------------- | ------------------------- |
| We find out about problems too late in the process |  |  |  |  |
| Slows down development |  |  |  |  |
| Too many false positives |  |  |  |  |
| Not clear of what's expected of us |  |  |  |  |
| No enforcement, workarounds are common |  |  |  |  |
| Addresses source code but not components |  |  |  |  |
| Mobile application testing |  |  |  |  |
#### * 28. Has your organization had a breach that can be attributed to a vulnerability in an open source component or dependency in the last 12 months?
Yes, we definitely have
We suspect that this was the source of a breach
No, we definitely have not
Not Sure
#### * 29. Has your organization had a breach attributed to application development and deployment in the last 12 months?
Yes, we definitely have
We suspect that this was the source of a breach
No, we definitely have not
Not Sure
### One last question...
**30. LAST QUESTION: Tell us why DevSecOps practices are important to you. We may include your entry in the DevSecOps Community survey report.**