Gorodenkoff - stock.adobe.com
Developers who are happy and satisfied in their work are 3.6 times less likely to neglect security considerations in their code, 2.3 times more likely to have automated security tools in place, and 1.3 times more likely to follow open source security best practice, according to new research conducted on behalf of DevOps services supplier Sonatype.
The findings were reported in Sonatype’s seventh annual DevSecOps community survey – which was developed alongside the Software Engineering Institute of Carnegie Mellon University in the US, and a number of other partners.
“Developer happiness based on mature DevOps practices is fundamental to the quality and delivery of secure software,” said Derek Weeks, vice-president at Sonatype.
“By introducing mature DevOps practices, businesses can not only innovate faster, they can enhance their development teams’ job satisfaction, and ultimately differentiate themselves as employers – critical when so many companies face significant skills shortages and increased competition.”
Sonatype and its partners also found that job satisfaction among developers was higher among those working with firms that had adopted mature DevOps security practice, and also tended to be slightly more likely to recommend their employer to potential new colleagues.
The Sonatype study said 28% of organisations with mature DevOps practices were aware of a security incident or breach relating to an open source component that took place in the past 12 months, compared with 19% of those who said their setup was less mature.
The firm said that although it might seem like breaches are higher for better-prepared organisations, this may reflect the cultural differences in more mature DevOps environments – such as rewarding open communication, welcoming new information, and encouraging better collaboration between developers and security. This means breaches that do occur are spotted more quickly and mitigated more successfully.
Sonatype also found that development velocity was ramping up, with 55% respondents deploying code to production at least once a week, well up on 2019’s figure of 47%. Matching this faster-paced environment, 47% of developers agreed that security was important but said they did not really have time to spend on it – a finding that was relatively consistent with previous years, down just one percentage point.
The study also shed some light on where firms with mature DevOps practices and those with immature ones were more likely to direct their investments in security automation.
Read more about DevSecOps
- Attackers are knocking at your door. Don’t waste time with repetitive, automatable security tasks. Here’s how DevSecOps enables code analysis, security testing and more.
- In this excerpt from Chapter 1 of Securing DevOps: Security in the cloud, author Julien Vehent describes three principles critical to the DevSecOps model.
- The CNCF, defence contractors and IT vendors have joined forces with the US Department of Defense to establish NIST security standards and best practices for DevSecOps.
The biggest differences in priorities between mature and immature DevOps programmes were seen in container security. Here, mature practices tend to invest at double the rate of immature ones, closely followed by dynamic analysis (DAST) and software composition analysis (SCA).
Sonatype said open source governance (44%), web app firewalls (59%) and intrusion detection (42%) seemed to be the highest priorities for buyers across the board.
The survey also revealed that 31% of the DevOps community cite pepperoni as their favourite pizza topping, 50% expressed a preference for Star Wars over Star Trek, and there was unanimous agreement that Deadpool is the best mercenary.
The online study was conducted in February 2020 and received responses from 5,045 people in 102 geographies, with the most represented countries being Australia, Canada, Germany, India, Israel, the Netherlands, Singapore, Spain, the UK and the US. The full report and its findings can be downloaded from Sonatype’s website.