How DevSecOps Is Transforming Secure Software Delivery – 2020 Report Insights

Report Overview

As cloud computing, micro‑services and container technologies become mainstream, traditional software‑development‑life‑cycle (SDLC) models are shifting toward DevOps‑style agile development and continuous delivery. On 30 December 2020, XuanJing Security partnered with Freebuf Consulting to publish the “2020 DevSecOps Industry Insight Report” at the CIS conference’s “DevSecOps Practice and Technology Session”.

Global Context

The report’s producer, Zi Ya, noted that the RSA Conference (24‑28 February 2021, San Francisco) focused on the “Human Element”, identifying DevSecOps as a key trend. Innovative vendors such as BluBracket and ForAllSecure were highlighted, and organizations like Comcast, the U.S. Department of Defense and NIWC were cited as practical examples.

Domestic Adoption

Although Chinese financial, energy and internet sectors have not yet undertaken deep DevSecOps transformations, many are beginning to adopt the framework and the agile security activities embedded in CI/CD pipelines. Emerging security vendors and generic technology solutions are increasingly being adopted by leading domestic enterprises, prompting the release of the first domestic DevSecOps industry survey.

Survey Findings (Part 1)

The first part of the report presents a survey of more than a thousand IT professionals from diverse backgrounds. Through questionnaires, data collection, interviews and technical salons, respondents indicated growing recognition of DevSecOps and accelerated practice, with leading organizations achieving high‑level automation of application‑security tasks early in the software‑development lifecycle.

Insights and Trends (Part 2)

The second part compiles expert discussions, observed phenomena, development trends and case studies across industries. It emphasizes that embracing change is the foundation of agile security construction.

DevSecOps Security Tool Pyramid

The report defines a “security‑tool pyramid” that classifies tools into hierarchical layers. The base consists of fundamental tools, while higher layers add capabilities that overlap and collaborate. Tool selection is influenced by universality, intrusiveness and ease of use rather than directly by an organization’s DevSecOps maturity level.

Report Objectives

The authors hope the investigation and analysis will encourage more industry users to explore, compare and adopt leading DevSecOps agile‑security practices, trace software‑supply‑chain risks across development, testing, deployment and operation, and build resilient, agile security‑development‑operations systems. They also aim to foster dialogue among technology forces and provide a reference for establishing new security benchmarks.