Research reveals link between developer happiness and application security, but breaches remain at troubling levels

Research reveals link between developer happiness and application security, but breaches remain at troubling levels

  • Wednesday, 8th April 2020 Posted 4 years ago in by Phil Alsop
Sonatype announces the findings of its seventh annual DevSecOps Community Survey, which uncovers an intrinsic link between developer happiness and application security hygiene, and an alarming level of application breaches. The survey is the DevSecOps community’s most comprehensive and longest-running study, and was developed in partnership with Carnegie Mellon’s Software Engineering Institute, CloudBees, DevOps Institute, DevOps.com, DevSecOps Days, NowSecure, Security Boulevard, Verica, and All Day DevOps

 

For the first time ever, the findings prove the correlation between developer happiness and application security hygiene, with happy developers 3.6x less likely to neglect security when it comes to code quality. Happy developers are also 2.3x more likely to have automated security tools in place, and 1.3x more likely to follow open source security policies. In addition, the findings showed that developers working within mature DevOps practices are 1.5x more likely to enjoy their work, and 1.6x more likely to recommend their employer to prospects, highlighting the significant role DevSecOps transformations play in both application security and developers’ job satisfaction.

 

The study also revealed that 28% of mature organisations are aware of an open source component-related breach in the past 12 months, compared to 19% of respondents with immature DevOps practices. While breaches appear higher for mature DevOps practices, industry advocates point to cultural differences that reward open communication, welcome new information, and encourage tighter collaboration between developer and security tribes.

 

“Developer happiness based on mature DevOps practices is fundamental to the quality and delivery of secure software,” said Derek Weeks, Vice President at Sonatype. “By introducing mature DevOps practices, businesses can not only innovate faster, they can enhance their development teams’ job satisfaction, and ultimately differentiate themselves as employers – critical when so many companies face significant skills shortages and increased competition.”

 

Additional findings from the report include:

 

  • Development velocity is accelerating rapidly: 55% of respondents deploy code to production at least once per week, compared to 47% of respondents in 2019. As year over year velocity increased, 47% developers continued to admit that while security was important, but they did not have time to spend on it - a finding consistent with the same survey in 2018 (48%) and 2019 (48%).

 

  • Automated security investments are highest, with open source governance (44%), web application firewalls (59%), and intrusion detection (42%). The greatest differences in investment priorities between mature and immature DevOps programs are seen across Container Security, with mature practices investing 2.2x more than immature practices; this is closely followed by investments in Dynamic Analysis (DAST) and Software Composition Analysis (SCA), with 2.1x and 1.9x more respectfully,