Company Culture Predicts Software Development Security Practices

Company culture is the biggest predictor of application-development security practices, says the latest Accelerate State of DevOps report from Google Cloud’s DevOps Research and Assessment (DORA) team. Specifically, “high-trust, low-blame cultures focused on performance were 1.6 times more likely to have above average adoption of emerging security practices,” the report says.

Additionally, the report says, “teams that focus on establishing these security practices have reduced developer burnout.”

Organizational Performance

This survey of 33,000 professionals focused of software supply chain security (through the Supply Chain Levels for Software Artifacts (SLSA) framework) and key areas of DevOps, such as:

  • Software delivery performance, including deployment frequency, lead time for changes, change failure rate, and time to restore service
  • Operational performance, including reliability
  • Organizational performance 

High-trust and low-blame cultures, says the report, “tend to have higher organizational performance.” Other cultural factors associated with higher performance include:

  • Feeling supported through funding and leadership 
  • Team stability
  • Positive perceptions of one’s team
  • Flexible work arrangements 

Technical predictors of high organizational performance include reliability engineering and cloud usage. For example, the report found that “companies with software initially built on and for the cloud tend to have higher organizational performance.”

Cloud Usage

Cloud usage impacts organizational performance through indirect factors, the report states. “One example is supply chain security, where we found that organizations using public clouds were also more likely to implement SLSA practices … The broader point is that using cloud platforms opens a team up to inherit many capabilities and practices that eventually flow into higher organizational performance.”

Cloud-usage statistics from the survey include:  

  • Use of public cloud, including multiple clouds, increased from 56 percent in 2021 to 76 percent in 2022
  • Use of multiple public clouds increased to 26 percent (up from 21 percent in 2021) 
  • Hybrid cloud usage increased to 42 percent (up from 25 percent) 
  • Private cloud usage increased to 32 percent (up from 29 percent)

In the Loop

This year’s survey also looked at various DevOps practices, breaking the process down into two broad categories: “the inner loop, which comprises developer tasks such as coding, testing, and pushing to version control, and the outer loop, which includes activities such as code merge, automated code review, test execution, deployment, and release.”

The report found that teams that excel at both inner and outer loop practices ship code faster and with greater reliability. According to the report, high performers who meet reliability targets are also:

  • 33 percent more likely to use version control 
  • 39 percent more likely to practice continuous integration 
  • 46 percent more likely to practice continuous delivery 
  • 40 percent more likely to have systems based on a loosely-coupled architecture

Overall, the report states, culture is a primary aspect of DevOps, because, “at the most basic level, DevOps is about tools, practices, and how people work together to develop and deliver software quickly, reliably, and safely. Understanding the factors that impact an organization’s culture can help leadership tackle culture-related challenges head-on.”

Learn More

2022 Report Highlights Growth of SRE Practices from FOSSlife
How SBOMs Strengthen the Software Supply Chain from FOSSlife
What Is a DevOps Engineer? from FOSSlife
Top Skills for DevOps Engineers from FOSSlife

Ready to find a job? Check out the latest job listings at Open Source JobHub

FOSSlife Newsetter