2024 Global DevSecOps Report

What’s next in DevSecOps

for financial services
 2

Table of contents

03 What’s next in DevSecOps for financial services

04 Investing in security, AI, and automation

05 Catching up on AI

07 Integrating AI into all aspects of software development

08 Software supply chain security is a potential weak spot

09 Security is a priority, but still a challenge

10 Leading the way on frequent deployments

11 Hiring, retaining, and onboarding are challenges

12 Developers want automation, collaboration, and flexible work

13 Demographics and methodology

Follow us:
 3

What’s next in DevSecOps for financial services

It’s clear from our survey of more than 5,000 DevSecOps professionals
that artificial intelligence (AI), security, and automation are top of mind for
organizations across the board.

But what about the financial services industry? This industry has some unique
challenges and needs — including staying on top of ever-changing regulations,
protecting sensitive data, maintaining customer trust, managing legacy systems,
attracting and retaining top engineering talent, and keeping up with more nimble
competitors — that could make their progress and priorities a bit different.

We analyzed 770 survey responses from financial services industry professionals

across development, security, and operations roles. Let’s take a look at what
they’re doing and struggling with, on everything from security to AI.

Follow us:
 4

Investing in security, AI, and automation

Not surprisingly, security was the most commonly cited investment priority for What are your organizations top 3 IT investment priorities in 2024?
respondents in financial services.

AI was their second most common investment priority, which makes sense given Financial services All respondents
the plans that many in the industry have for the next few years around innovation,
operational efficiency, and simplification. Security 21%
19%

19%
AI
19%

16%
Automation
Top investment priorities for 16%

financial services in 2024: Cloud 15%

Computing 17%
1. Security DevSecOps 15%
Platform 17%
2. AI
15%
3. Automation DevOps
15%

14%
Serverless
11%

Application 13%
monitoring 13%

13%
Blockchain
10%

Continuous 12%
integration 13%

0% 5% 10% 15% 20% 25%

Follow us:
 5

Catching up on AI
According to our survey, the financial services industry is a little behind in adopting However, they're planning to nearly close that gap. More than three-quarters
AI in the software development lifecycle (SDLC) compared to other industries. (76%) of financial services respondents are currently using AI or plan to in the
Only 34% of respondents in financial services said they were currently using AI in next two years, similar to what we observed across all industries (78%).
software development, compared to 39% of respondents across all industries.
Is there anything that may be preventing deeper adoption of AI in financial
services? Three key challenges stood out in our survey. Respondents in financial
services who have used AI in software development said the top obstacles
they face are a lack of knowledge about AI, concerns around privacy and data
security, and a lack of skills needed to use AI.

Is your organization using or planning to use AI in the

software development lifecycle?

Financial services Software/computer hardware

Telecommunications All respondents

32%
41%
22%
39%
We are currently using AI in the SDLC

42%
41%
38%
39%
We plan to start using AI in the next 2 years

0% 10% 20% 30% 40% 50%

Follow us:
 6

What are the top obstacles your organization has encountered These concerns probably aren’t surprising. Because of the highly sensitive
using AI in the SDLC? (according to financial services) nature of the data they work with, the financial sector is laser focused on
privacy and security, making many organizations more cautious about
adopting AI. It appears that for some organizations this heightened caution
39%
Lack of knowledge about AI has led them to be a bit behind in investigating AI, as “lack of knowledge
around AI” was the most common obstacle cited by respondents in
38%
Concerns around privacy and data security
financial services. As more DevSecOps teams in the industry plan to adopt
AI across their SDLC, focusing on closing this knowledge gap could be an
37% excellent opportunity to ensure a smooth transition.
Lack of appropriate skill set to employ AI or interpret AI output

27%
Concerns around security vulnerabilities in software built using AI

26%
Concerns around copyright and intellectual property

26%
Difficulty procuring AI tools (securing legal approva, etc.)

25%
Difficulty keeping up with the latest developments in AI

23%
Lack of confidence in AI-generated output

21%
Concerns around complying with government regulations related to AI

19%
Difficulty securing budget

14%
Accelerated code creation causing problems for security and ops teams

0% 10% 20% 30% 40% 50%

Follow us:
 7

Integrating AI into all aspects of software development

Software engineering teams in financial services are eager to adopt generative When asked how they are planning to use or are interested in using AI, this year’s
AI to help them accelerate code creation. The top use cases where financial financial services respondents identified a different set of use cases, including
services respondents told us they’re currently using AI were code generation and forecasting productivity metrics and identifying anomalies, chatbots that allow
code suggestions, followed by explanations of how code works, and to modernize users to ask questions in natural language, and suggestions for who can review
legacy code, which was a uniquely popular answer among financial services code changes.
respondents. This need to modernize highlights one of the industry’s unique
challenges, and opportunities, when it comes to AI. Chatbots appeared in both the top five current use cases and the top five use
cases that respondents were interested in, suggesting that natural-language chat
interfaces are an appealing way for DevSecOps teams to engage with AI tools.

Top
Top
Topways
ways
waysfinancial
financialservices
finanicalservicesrespondents
servicesrespondents
respondents are Top
Topways
Top waysfinancial
ways financialservices
finanical servicesrespondents
respondentsare
areinterested
interestedininusing
usingAI:
AI:
are
arecurrently
currently
currently using
using
using AI:AI:
AI: interested in using AI:

62%
62% 50%
50% 47%
47% 41%
41% 38%
38% 37%
37%
Code
Codegeneration
generation
and
and Summaries
Summariesofof
code
code Explanations
Explanations
ofof
how
how
aa Forecasting
Forecastingproductivity
productivity Chatbots
Chatbotsthat
that
allow
allow Suggestions
Suggestionsforfor
code
codesuggestions/
suggestions/ changes
changes piece
piece
ofof
code
code
works
works metrics
metricsand
and
identification
identification users
users
toto
ask
ask
questions
questions who
whocan
can
review
review
completion
completion ofofanomalies
anomalies
across
across
thethe in in
documentation
documentation inin code
codechanges
changes
software
softwaredevelopment
development natural
natural
language
language
lifecycle
lifecycle

46%
46% 41%
41% 36%
36% 35%
35%
Moderizing
Moderizinglegacy
legacy
code
code Chatbots
Chatbotsthat
that
allow
allow users
users Summaries
Summariesofof Summaries
Summariesofof
toto
ask
ask
questions
questionsin in code
codechanges
changes issue
issue
comments
comments
documentation
documentation using
using
natural
natural
language
language

Follow us:
 8

Software supply chain security is a potential weak spot

Within the financial services industry, 78% of developers said a quarter or more of Approximately how much of the code in the applications you work on
the code they work on is from open source libraries. That’s higher than average, is from open source (OSS) libraries?
with only 67% of developers across all industries reporting that a quarter or more
of the code they work on is from open source libraries.
Financial services All respondents
Capabilities like a software bill of materials (SBOM) — a list of all the components,
libraries, and modules that make up an application — are essential for maintaining 2%
the security of the software supply chain, especially as the amount of code 3%
pulled from open source libraries increases. However, in our survey, only 22% 0% to 9%
of respondents in the financial services industry said their organizations are
currently using SBOMs to enable security in the SDLC. 17%
28%
10% to 25%

78% 38%
27%
22% 26% to 50%

78%
of developers in financial services said 51% to 75%
31%
30%

a quareter or more of the code they

work on is from open source libraries…
9%
but only… 10%

22%
More than 75%

3%
of respondents in financial services
said their organization uses SBOMs. 1%
Don’t know

0% 10% 20% 30% 40%

Follow us:
 9

Security is a priority, but still a challenge

In this year’s survey, we found that the financial services industry is a bit ahead of However, they aren’t more likely to feel confident about their team’s security.
the curve when it comes to using many security-related technologies. Only 60% of respondents in financial services said they are confident in their
organization’s approach to application security, compared to 60% of respondents
across all industries, and 67% in the software/computer hardware industry.
How does your organization enable security in the SDLC?
Why isn’t the financial services industry more confident in their approach to
security? The results from our survey point to a possible cultural gap around
Financial services All respondents security.

38% Of the security professionals in financial services who took the 2024 Global
34% DevSecOps Survey:
Dynamic application security testing (DSAT)
Only 18% said their organization has shifted security left.
39%
33%
Static application security testing (SAST) More than half (54%) said their security team has a difficult time getting
the development team to prioritize vulnerability remediation.
24%
21% Only 14% said they have developers run dynamic application security
API fuzz testing testing (DAST), compared to 17% across all industries and 26% for the
software/computer hardware sector.
27%
24% Less than half (49%) said security vulnerabilities are a performance
Secret detection metric for developers, compared to 57% across all industries.

35%
29%
External scanners like SonarQube, Fortify, or Checkmarx

0% 10% 20% 30% 40%

Follow us:
 How often does your org deploy to production? 10

Leading the way on frequent deployments

Financial services is leading the way on frequent deployments. A full 40% of How often does your organization deploy to production?
developers in this sector said their organization deploys multiple times per day (according to developers)
or once a day, compared to 28% for the software/computer hardware sector
and 25% across all industries. Many in financial services have been investing in
Financial services All respondents
deployment automation and continuous delivery over the years, and it seems to
be paying off. 24%
13%
Multiple times a day (continuous deployment)

23%
11%
Once a day

36%
40%
Once every few days

11%
10%
Once a week

14%
11%
Once a month

2%
6%
Every few months

3%
2%
Don’t know

0% 10% 20% 30% 40%

Follow us:
 11

Hiring, retaining, and onboarding are challenges

The financial services industry is having a somewhat harder time recruiting What’s more, once a financial services organization hires a developer, it tends
How long does it take to onboard new developers in your organization
and keeping developers. A third (more than 33%) said it was somewhat or very to take longerand
to onboard them and get them up to speed. Only 18% said their
difficult for their organization to attract, hire, and retain developers, compared organizations onboard developers in less than a month, compared to 29% across
get them up to speed on all your tools and processes?
to 29% of respondents across all industries and 28% for the software/computer all industries and 35% in the software/computer hardware industry.
hardware industry.

How long does it take to onboard new developers in your

organization and get them up to speed on all your tools
and processes?

Financial services All respondents

Less than 3%
2 weeks 9%

15%
2 to 4 weeks
20%

29%
Up to 2 months
25%

Up to 3 months
24%
20%

14%
Up to 4 months
11%

Up to 5 months 7%
5%

6%
Up to 6 months
5%

More than 2%
6 months 2%

0% 10% 20% 30%

Follow us:
 12

Developers want automation, collaboration, and flexible work

When asked how their organizations can improve the developer experience, Many developers in financial services say they are bogged down by repetitive
developers in financial services were clear: expand automation, improve tasks and context switching, so it’s not surprising that they want to be empowered
collaboration, and give them the flexibility to work remotely. Of note, developers with more automation and AI. Adding that automation to a more flexible work day
in financial services were more likely to select “more flexible work arrangements could unlock a new level of productivity and developer experience.
(e.g., remote or hybrid work)” than their peers in other industries — 25% of
Top challenges that could be made to improve developer
developers in financial services noted it, compared to 22% across all industries.
satisfaction,
Topaccording
challengesto that
developers
could beinmade
financial services:
to improve developer
satisfaction, according to developers in financial services:

31%
Increased
30%
Improved
25%
More flexible work
automation collaboration arrangements (e.g.
remote or hybrid work)

23%
Better integration
22%
Use of AI
22%
More training
with IT operations assistance

22%
A shared goal
22%
Better pay
21%
Making information
across individuals more accessible and
discoverable

Follow us:
 13

Demographics and methodology Organization size

Organization size
Organization size
We collected a total of 5,315 survey responses in April 2024 from individual 136
contributors and leaders in development, IT operations, and security across a
24 or fewer employees
Organization
Organization size
size 136
24 or fewer employees
mix of industries and business sizes worldwide. 180
25 to 49 employees 136
180
136
24fewer
or fewer
24 employees
25 to 49 or employees
employees
We used two sampling methods for the data collection: 586
50 to 99 employees 180
586
180
2549
toemployees
49 employees
• We distributed the survey via GitLab's social media channels and email lists. 25 to
50 to 99 employees
874
100 to 249 employees 874586
586
• A third-party research partner, Omdia, conducted panel sampling, which 5099
50 to toemployees
99 employees
100 to 249 employees
737
reduces bias in the sample. Omdia used its proprietary access to lists, 250 to 499 employees 874
874
737
100100 to 249
to 249 employees
employees
panels, and databases to gather quality responses and cleaned the data 250 to 499 employees
1,116
throughout fielding to ensure data quality. 737737
500 to 999 employees
250250 to 499
to 499 employees
employees 1,116
500 to 999 employees
6771,116
Here’s a closer look at the survey respondents: 1,116
1,000 to 1,999 employees
500 to 999 employees
500 to 999 employees 677
1,000 to 1,999 employees
unctional area Gender 421677
677
unctional area Gender 2,0001,000
to 3,999
1,000 employees
to
to 1,9991,999 employees
employees 421
Functional
Functional
Functional areaarea
area Gender
Gender
Gender
2,000 to 3,999 employees
588
421
421
4,0002,000
or more
2,000 employees
to 3,999
to 3,999 employees
employees 588

27% 21% Female 4,000 or more employees

588588

27% 27%
IT security
21% Female 4,000
4,000 or more
or more employees
employees

27%
IT security
IT IT security
security 21% Female
21% Female
Job role
Job role
Job role

72%
Job
Job role
role

40%
804

40% 72%
Software Male
C-level executive (e.g., CISO, CTO) 804

40%
40% 72%
72%
development
Software C-level executive (e.g., CISO, CTO) 804804
Male C-level
C-level executive
executive (e.g.,
(e.g., CISO,
CISO, CTO)CTO) 432
development Software
Software Male
Male
development
development
Vice president 432
Vice president 432432
ViceVice president
president 855
Director 855
855855

31% 6%
Director
Prefer not to answer Director
Director 2,012

31%31%
31% 6%
IT operations
6%Prefer 2,012
Manager
IT operations
IT IT operations
operations
6%
Prefer not tonot
Prefer answer
not
to to answer
answer
Manager
2,012
2,012
1% Nonbinary Manager
Manager 1,212
1% Nonbinary
1% 1%Nonbinary
Nonbinary
Individual contributor/team member 1,212
1,212
1,212
Individual contributor/team
Individual
Individual member
contributor/team
contributor/team member
member

Follow us:
 14

Geography

11%
UK
561

12%
Germany
6% 634
7% France
Canada 298
396

4%
44%
Japan
211
US
2,335

3%
India

2%
150

New Zealand
105
4%
7%
Other
228
Australia
397

Follow us:
 15

Industry

1,147
Software/SaaS/Computer Hardware

532
Financial Services/Banking

515
Telecommunications

503
Automotive

419
Government

268
Aerospace & Defense

243
Manufacturing

242
Retail

238
Insurance

227
Healthcare

202
Biotechnology/Pharmaceuticals

198
Business Services/Consulting

160
Energy & Utilities

156
Education

135
Media & Entertainment

106
Hospitality/Travel/Food & Beverage

24
Others

Follow us:
 55%
100-999100-999 employees
employees

1621% 2
Organization sizeemployees
1,000-3,999
1,000-3,999 employees

12%

Demographics of financial services respondents

12% 1
0-99 employees 4,000+ employees
4,000+ employees

0% 0% 10% 10% 20% 20% 30% 30% 40% 40% 50%

55%
50% 60% 60%
100-999 employees
Let’s take a closer look at the 770 survey respondents in the Organization size
financial services industry.
Organization size 21%
1,000-3,999 employees
12%
0-99 employees 12%
Functional
Functional
Functional area
area area Gender
Gender
Gender 4,000+ employees
55%
0%100-999 employees
10% 20% 30% 40% 50% 60%

21%

29%29%
Software
Software
development
development
24%24%
Female Female 1,000-3,999 employees
Job role
Job role
12%
4,000+ employees 8% 8
ional area Gender C-level executive
C-level executive (e.g.,
(e.g., CISO, CTO)CISO, CTO)

36%
36% 66%
66%
0% 10% 20% 30% 40% 50% 60%
Male Male 11% 1
IT security
IT security Vice president
Vice president

9%
Software
development
24% Female
Job role
Job roleDirector Director
17% 1

32%
32%
38% 3
tional area
IT operations
IT operations
Gender 9% 9%
Prefer Prefer
not to not to answer
answer
C-level executive Manager
Manager(e.g., CISO, CTO)
8%

security
36% Male

24%
66% 1% 1% Nonbinary
Nonbinary
Individual
Individual
Vice president
contributor/team
contributor/team member member
11% 26% 2

9%
Software Female 0% 0% 10% 10% 20% 20% 30% 30% 40% 40%
development Job role 17%
Director
8%

32%
38%
9% C-level executive (e.g., CISO, CTO)

66%
Prefer not to answer

36%
IT operations Manager
Male 11%
security 1% Nonbinary Vice president 26%
Individual contributor/team member

0% 10% 20% 30% 40%

17%
Director

32%
38%
IT operations
9% Prefer not to answer Manager

1% Nonbinary 26%
Individual contributor/team member Follow us:

0% 10% 20% 30% 40%

 17

Geography of financial services respondents

36%
Europe

7%
46% Asia

North
America

10%
Oceania

1%
Other

Follow us:
© 2024 GitLab All Rights Reserved