State of DevOps report 2022: for secure software, team culture counts more than technology

Google’s DORA (DevOps Research and Assessment) team has published its 2022 State of DevOps report, finding a drop in what it calls “software operational performance” since last year, increasing cloud usage, and that CI/CD (Continuous Integration/Continuous Delivery) is critical to software security. The researchers also conclude that in order to develop secure software, a strong collaborative culture is more important than any technical feature.

Google has published these DORA State of DevOps reports since 2014, originally in partnership with Puppet, though since 2018 Google and Puppet have delivered separate reports. This year it is based on survey results from 1350 professionals, of whom 68 percent work in development, engineering, or IT operations and infrastructure, from organisations well balanced between the largest (10,000+ employees) and small (20-99 employees).

There were some notable differences in the sample this year though, which may account for some of the trends reported. In particular, 35 percent of respondents had fewer than five years’ experience, where last year it was 41 percent.

What makes the report worthwhile is not only the responses, but the depth of analysis from the team of ten authors, led by User Experience Researcher Claire Peters, and Dave Farley, co-author of a well-known book on Continuous Delivery and founder of Continuous Delivery Ltd.

The DORA team attempts to measure software delivery performance, operational performance, and organizational performance, according to a model it has devised and used consistently over the years. It uses deployment frequency, lead time for changes, time to restore service after an incident, and change failure rate to measure software delivery performance, for example. The highest score is won by delivering multiple deployments per day, taking no more than a week to deploy changes from code to production, restoring service in less than a day, and a change failure rate of no more than 15 percent

This year, performance has dropped, the team reports. “The striking difference from last year is that we don’t consider any cluster to be elite this year,” the report states. There is also an increase in low performers, from 7 percent in 2021 to 19 percent this year. Why? They speculate that the pandemic and its after effects has hampered innovation and knowledge sharing but do not have data to support it.

Software development performance has declined, but is the pandemic or a different sample of respondents to blame?

Cloud computing usage continues to grow, according to the report. Use of public cloud is 76 percent, up from 56 percent in 2021. Only 10.5 percent report no cloud usage at all (including private cloud).

“Respondents that used cloud were 14% more likely to exceed in organizational performance goals,” the researchers say. Although this may be a matter of correlation rather than causation, which is always a hard thing to distinguish.

More than 50 percent of respondents use multiple cloud providers, and this group “showed a 1.4x higher organizational performance,” the researchers say. VMWare will be pleased. However, the news is nuanced by a negative impact on software delivery performance.

The DORA researchers are enthusiasts for what they call “trunk-based development.” This is where long-lived feature branches under source code management are avoided and “has been shown for years to accelerate software delivery velocity.” Again there are nuances. More experienced individuals benefit from trunk-based development, but those with less experience find increased error-proneness and unplanned work. The researchers say that success with trunk-based development requires “rigorously enforced rules” around never leaving the trunk broken to avoid pain in development.

Security is a key topic this year, with a focus on supply-chain security. The researchers note that adopting best practice such as the SLSA (Supply Chain for Software Artifacts) framework and SSDF (Secure Software Development Framework) is challenging without CI/CD. “Without this critical piece of infrastructure, it is very difficult for an organization to ensure a consistent set of scanners, linters, and tests are run against the software artifacts they create,” the report states.

Another key finding is that software security is associated with collaborative culture, or a “generative” culture as defined here. “We found that the biggest predictor of an organization’s application-development security practices was cultural, not technical: high-trust, low-blame cultures focused on performance were 1.6x more likely to have above average adoption of emerging security practices than low trust, high-blame cultures focused on power or rules,” the paper states.

Since collaborative culture is also aligned with other aspects of high performing software teams, that may be the key message here. If that is a problem, it is better to fix the organisational culture first and improved developer performance, including security, will follow. “Individuals and interactions over processes and tool,” said the Agile Manifesto in 2001, and it appears that has not changed.