The shift to DevSecOps has changed who buys enterprise IT security products, triggering IT vendor consolidation and new tools that target secure application development.
IT experts still debate the exact definition of DevSecOps -- for some, it describes organizational changes and who takes responsibility for securing IT resources. For others, it's about what tools are used to secure applications, and in which parts of the application lifecycle. So far, the common ground among various DevSecOps definitions is that IT organizations are thinking more collaboratively to build secure applications.
This shift fundamentally changes the way those organizations evaluate and purchase IT vendors' products.
"Developers and security are working more closely together, and more tools are being designed for developers to be able to do security checks in the course of their day-to-day jobs," said Daniel Kennedy, an analyst at 451 Research, a division of S&P Global.
The firm's research on the use of application security tools between 2015 and 2020 reflected 70% security users in 2015, which shifted to a 50/50 split between security pros and developers in 2020.
M&A activity spurred by this trend has continued for the last two years, but analysts report steady acceleration. In 2019, the 451 Research M&A KnowledgeBase identified nine DevSecOps acquisitions; in 2020, that increased to 16. So far in 2021, 451 Research has tracked 21 DevSecOps transactions.
Daniel KennedyAnalyst, 451 Research
Among this year's DevSecOps mergers, there are three broad themes: the consolidation of previously specialized security tools; increased integration between security monitoring and IT performance monitoring tools as part of a concurrent shift toward application observability; and the alignment of security functions with DevOps software development and deployment processes, also known as "shifting left."
IT security specialists combine
Cloud-native security company Okta's $6.5 billion acquisition of Auth0, first publicized in March and completed in May, is a good example of a vendor driven to appeal to developers.
Okta established itself among enterprise DevOps organizations concerned with distributed IT infrastructure as they moved to cloud computing. Auth0's tools also handle access to cloud resources but focus on helping developers integrate their applications with identity management providers.
Financial ratings company Moody's used Okta's Advanced Server Access, single sign-on (SSO) and multifactor authentication products over the last three years to maintain security amid a cloud migration, transition to containers and its own M&A activity. Most recently, the company used Okta's SSO tools to accommodate a shift to remote work during the COVID-19 pandemic.
"We've done a lot of work with different use cases and Okta," said George Kurian, senior vice president of cybersecurity services for New York-based Moody's. "Now we're working on unifying our application development, single sign-on ... and mobile experiences."
Kurian hadn't decided whether to use Auth0 as of early April, but said he was open to considering it in the future.
"Auth0 gives me a nice toolkit to [connect] into my application, so my developers don't have to figure out how to do it," he said. "We don't have a lot of public-facing apps ... [but] there are some products like Moodys.com, and some of the new environmental websites that we're setting up, that it would be useful for."
Elsewhere, the increased popularity of Kubernetes for cloud-native applications brought security vendors together from adjacent areas of container-based infrastructure. Aqua Security acquired infrastructure-as-code security player Tfsec in July, while Sysdig folded in infrastructure-as-code security tools from Apolicy.
IT security and monitoring merge into observability
Sysdig, founded in 2013 as a container monitoring platform, was among the first such vendors to add security monitoring to its products -- a combination that's increasingly the norm.
Sumo Logic, originally a cloud-based log monitoring vendor, has followed a similar path. It acquired security analytics company JASK last year to add to its security information and event management (SIEM) software. This year, Sumo acquired security orchestration, automation and response software vendor DFLabs. Application performance monitoring vendor Datadog also expanded its security features with the acquisition of Sqreen in February.
For existing users of these monitoring products, acquisitions can be a double-edged sword, depending on how much the acquisition overlaps with tools that customer already has.
"The level of effort for us to change tools is pretty high," said Andy Domeier, senior director of technology operations at SPS Commerce, a Minneapolis-based communications network for supply chain and logistics businesses. "The value proposition is harder to explain for an existing customer you're trying to get to switch as opposed to a brand-new customer."
However, as a Sumo Logic customer, JASK has been a welcome addition, Domeier said.
"We were in the market specifically for that technology," he said. "In that scenario, we would love to use Sumo Logic. Why would I want to shovel the logs into yet another tool for SIEM?"
Sysdig's expansion also includes cloud security posture management (CSPM), a growing category, where future consolidation is also likely.
"Some vendors are looking to take a broader view of overall enterprise risk management," said Fernando Montenegro, an analyst at 451 Research.
Security shifts left -- and right
With DevSecOps, IT organizations integrate application security into the DevOps delivery process much earlier. In response, security automation software vendors snapped up security test automation vendors, as with Palo Alto Networks' acquisition of Bridgecrew, completed in March.
CI/CD vendors such as JFrog shifted left and built such tools into application release pipelines directly. More recently, these vendors have also begun to "shift right" to send production data to developers so they can prioritize fixes. JFrog took a step into this realm with its Vdoo buy in June.
Meanwhile, GitLab users anticipate the company's acquisition of artificial intelligence/machine learning (AI/ML) vendor UnReview in June will eventually have DevSecOps implications. UnReview identifies appropriate code reviewers during the software development process and controls code review workloads.
"Having the tool identify experts in specific coding areas will eliminate a lot of the delay in finding the appropriate resource," said Doug Rickert, senior product security manager at Here Technologies, a location services and mapping company based in the Netherlands.
Finally, DevOps infrastructure platform vendors such as VMware and Red Hat are building in security automation capabilities. Red Hat was among the vendors that kicked off this year's M&A spree with its acquisition of Kubernetes security vendor StackRox in January. Red Hat parent company IBM recently acquired BoxBoat, which is working with the Department of Defense on container-based software supply chain security. In March, VMware revealed plans to add security policy features acquired with Mesh 7 to its Tanzu Kubernetes platform.
"When something becomes an expectation in the market, big vendors begin to tuck it into their offerings," said 451's Kennedy. "DevOps has been around for a while now, and cloud-native, container-based applications, so now security features are expected."
Beth Pariseau, senior news writer at TechTarget, is an award-winning veteran of IT journalism. She can be reached at [email protected] or on Twitter @PariseauTT.