DevSecOps 7th annual Community Survey results

Sonatype published findings from its seventh annual DevSecOps Community Survey, based on responses from 5,045 software engineering professionals. The survey, developed and conducted in partnership with Carnegie Mellon’s Software Engineering Institute, CloudBees, DevOps Institute, DevOps.com, DevSecOps Days, NowSecure, Security Boulevard, Verica, and All Day DevOps, pulls back the curtain on successful DevSecOps practices, significant influences on developer satisfaction, trends in secure coding, and application breaches. 

The survey reveals that development velocity is accelerating with 55% of respondents deploying code to production at least once per week, compared to 47% of respondents in 2019. Findings also show how engineering teams supported by mature DevOps practices are more likely to integrate automated security tooling into their development lifecycle. The most popular automated security investments are web application firewalls (59%), open-source governance (44%), and intrusion detection (42%).

Mature DevOps teams also demonstrate 1.6x higher job satisfaction rates compared to their immature peers. Furthermore, mature teams are 2.2x more likely to invest in container security, 2.1x more likely to invest in Dynamic Analysis Security Testing, and 1.9x more likely to invest in Software Composition Analysis.

“DevSecOps transformations are proving critical – not just to improve productivity and application security - but to ensure developer delight. This year, mature DevOps teams are properly integrating and automating security tools almost 2x more often than less mature teams. We also found developers in mature DevOps teams are 1.6x more likely to recommend their employers in today’s tight job market and 1.3x more likely to get work done,” said Derek Weeks, Vice President at Sonatype. 

Mature DevOps teams are more aware of breaches: 28% of mature organizations are aware of an open-source component-related breach in the past 12 months, compared to just 19% of respondents with immature DevOps practices. While breaches appear higher for mature DevOps practices, industry advocates point to cultural advantages that reward open communication, welcome new information, and encourage tighter collaboration between developer and security tribes.

Happy developers pay more attention to security: Happy developers are 3.6x less likely to neglect security when it comes to code quality and 1.3x more likely to follow open source policies. They are also 2.3x more likely to have automated security tools in place. Developers working within mature DevOps practices are 1.5x more likely to enjoy their work, and 1.6x more likely to recommend their employer to prospects.

Tooling and training show a strong correlation with DevOps delight: Happier developers are 1.3x more likely to be informed of security issues from their integrated tooling compared to their grumpier counterparts. But improved tooling and close collaboration with security teams also paid off for happier developers, as they are 3.8x less likely to rely on rumors when it comes to security notifications. Developers who receive training on how to code securely are also 5x more likely to enjoy their work.