Google has launched their findings from the 2022 Accelerate State of DevOps Report. This 12 months’s report centered on safety with a selected emphasis on the software supply chain. The report discovered a broad adoption of the inspected practices with organizations which have a high-trust, low-blame tradition main the way in which in each safety and operational practices.
The report, now in its eighth 12 months, has surveyed over 33,000 people. For this 12 months, the staff centered on provide chain safety to raised analyze the connection between safety and DevOps. To floor this assessment, they used the Supply-chain Levels for Secure Artifacts (SLSA) framework together with NIST’s Secure Software Development Framework (SSDF). These two frameworks present quite a few practices, each technical and non-technical, that the respondents have been requested about.
The report discovered that almost all of respondents reported at the least partial adoption of each observe requested about. Utilizing application-level safety scanning as a part of their CI/CD pipelines was probably the most generally used observe, with 63% of respondents stating that this was “very” or “fully” established. The practices of preserving code historical past and utilizing construct scripts are additionally extremely established. Metadata signing and requiring a two-person assessment course of ranked decrease in responses.
One key discovering is that the most important predictor of a company’s software program safety practices was not technical however as a substitute cultural. Leveraging Westrum’s organizational topology, high-trust, low-blame cultures centered on efficiency have been considerably extra more likely to undertake rising safety practices than low-trust, high-blame cultures that centered on energy or guidelines. Derek DeBellis, DORA Analysis Lead, and Clair Peters, DORA Analysis Lead, additionally share that:
Survey outcomes point out that groups who give attention to establishing these safety practices have lowered developer burnout and usually tend to suggest their staff to another person.
This discovering is according to one other two-year study performed by Google. That examine additionally discovered that prime performing groups want a tradition of belief and psychological security coupled with significant, properly outlined work. The 2019 State of DevOps report discovered {that a} tradition of psychological security is predictive of software program supply efficiency, organizational efficiency, and normal productiveness.
The report makes use of 5 key metrics to categorise groups as elite, excessive, medium, or low performers based mostly on their deployment frequency, lead time to vary, mean-time-to-restore, change fail fee, and reliability. Reliability was added as a key metric final 12 months, increasing from solely inquiring about availability, as a way to higher cowl extra points of reliability engineering.
The report additionally discovered that prime performing groups are at a four-year low, with no elite performing groups this 12 months, and a subsequent improve within the variety of low performers. Extra groups landed as medium performers this 12 months than in 12 months’s previous exhibiting a normal development in direction of barely greater software program supply practices. The staff is planning additional analysis into this transformation, however presently hypothesize that the pandemic could have impacted groups’ potential for innovation and collaboration.
The 2022 Speed up State of the DevOps report is now available for obtain from Google.
