Sonatype has recently published findings from its seventh annual DevSecOps Community Survey, which pulls back the curtain on successful DevSecOps practices, significant influences on developer satisfaction, and an alarming level of application breaches.
Developed in partnership with Carnegie Mellon’s Software Engineering Institute, CloudBees, DevOps Institute,DevOps.com, DevSecOps Days, NowSecure, Security Boulevard, Verica, and All Day DevOps, the survey is the largest and longest-running survey conducted of the DevSecOps global community.
The findings showed a clear correlation between DevOps and developer job satisfaction, with developers working within mature DevOps practices 1.5x more likely to enjoy their work.
The research also revealed that those with mature DevOps practices are 1.6x more likely to recommend their employer to prospects – critical at a time when the UK continues to face an acute skills shortage.
Other key insights from the study include the fact that development velocity is accelerating rapidly, with 55% of respondents deploying code to production at least once per week, compared to 47% of respondents in 2019.
As year over year velocity increased, 47% developers continued to admit that while security was important, but they did not have time to spend on it – a finding consistent with the same survey in 2018 (48%) and 2019 (48%). Without additional time to spend on security, teams are investing in automated security tools, where open source governance (44%), web application firewalls (59%), and intrusion detection (42%) top the list.
The greatest differences in investment priorities between mature and immature programs are seen across Container Security, with mature practices investing 2.2x more than immature practices; this is closely followed by investments in Dynamic Analysis and Software Composition Analysis, with 2.1x and 1.9x more respectfully.
“DevSecOps transformations are proving critical – not just to improving productivity and application security – but also to ensuring developer happiness,” said Derek Weeks, Vice President at Sonatype. “As businesses bolster software development capabilities, improving application and information security hygiene practices are seen as a competitive differentiator for their products and employees.”
The report elucidates how developers can get more from their project by improving their development process and should be paid attention to. Other key findings from the report also include:
Mature DevOps teams are more aware of breaches:
28% of mature organizations are aware of an open-source component-related breach in the past 12 months, compared to just 19% of respondents with immature DevOps practices. While breaches appear higher for mature DevOps practices, industry advocates point to cultural advantages that reward open communication, welcome new information, and encourage tighter collaboration between developer and security tribes.
Happy developers pay more attention to security:
Happy developers are 3.6x less likely to neglect security when it comes to code quality, and 1.3x more likely to follow open source policies. They are also 2.3x more likely to have automated security tools in place. Developers working within mature DevOps practices are 1.5x more likely to enjoy their work, and 1.6x more likely to recommend their employer to prospects.
Tooling and training show strong correlation with DevOps delight:
Happier developers are 1.3x more likely to be informed of security issues from their integrated tooling compared to their grumpier counterparts. But improved tooling and close collaboration with security teams also paid off for happier developers, as they are 3.8x less likely to rely on rumors when it comes to security notifications. Developers who receive training on how to code securely are also 5x more likely to enjoy their work.