informa
3 MIN READ
News

Google Cloud DORA: Securing the Supply Chain Begins With Culture

The team's annual survey finds that the right development culture is better than technical measures when it comes to shoring up software supply chain security practices. An additional benefit: Less burnout.

Companies that focus on trusting their developers, looking beyond blame, and striving for strong cooperation tend see greater adoption of measures that contribute to more secure software supply chains.

According to the annual 2022 Accelerate State of DevOps published on Sept. 28 by Google Cloud's DevOps Research and Assessment (DORA) team also found that DevOps teams that focused on good security practices had a lower rate of burnout, with low-security teams having 1.4 times greater odds of voicing high levels of stress.

While technical infrastructure did help, the survey shows that starting with, or developing, the right culture is extremely important.

For instance, the DORA survey at the heart of the report measured DevOps teams' adherence to 13 different aspects measured by the Supply-chain Levels for Software Artifacts (SLSA) security framework, which calls for building product releases using centralized continuous integration/continuous development (CI/CD) systems, storing change histories indefinitely, defining software builds through scripts, and isolating the build process. And even though the majority of companies had completely or moderately implemented all of the 13 practices, those that had more collaborative and less blame-oriented cultures did better, the DORA survey found.

"More open, generative cultures ... tend to have positive effects for organizational performance as well as for the people who work there," says Todd Kulesza, one of the authors of the report and a senior user-experience (UX) researcher at Google Cloud. "What we want to see is — if there is a security problem — we want the engineers to feel empowered and safe to bring attention to that. You don't want your developers to sweep things under the rug, especially in terms of the security."

The survey unfortunately found that there's work to do on the collaborative front: Many software developers feel there is a gulf between programmers and application-security teams.

"High-friction approaches to security can be frustrating for developers and ineffective overall, as people try to avoid the friction points," the report stated. "The developers we spoke with wanted to do the right thing, and often discussed frustration that shipping features or fixes consistently took priority over potential security issues."

Supply Chain Security: Critical Barometer for DevOps Performance

In its eighth year, the DevOps Research and Assessment (DORA) team's annual report has strived to identify best practices among teams that use the DevOps approach to software development. In 2021, the DORA group found that software supply chain security had become a critical component of high-performing DevOps organizations, so this year, the researchers focused on determining what led to successful outcomes on that front.

Security practices for DevOps chart
Most DevOps teams have adopted SLSA practices. Source: Google Cloud's 2022 DORA report.

In the survey, Google focused on adoption of security practices that are part of supply chains.

In addition to DevOps teams' adherence to the SLSA framework, the survey asked developers the degree to which they comply with dozens of security practices that form the Secure Software Development Framework (SSDF) created by the US National Institute of Standards and Technology (NIST).

Organizations that had highly cooperative teams that shared risks and responsibilities, and prioritized learning over blame — so-called "generative" cultures — were more likely to adopt more than two dozen of those security practices, the survey of DevOps practitioners found.

"A lot of these practices — I'm not going to say that they are 100% established across organizations — but a lot of these practices have 50% or more of practitioners reporting that it is established or very well established," says John Speed Meyers, a co-author of the report and a security data scientist at software supply chain security firm Chainguard. "There is a lot of room for improvement, but these things are not so hard that no one is doing it."

The survey also measured developer burnout, based on how highly they rated their agreement with statements such as "my feelings about work negatively affect my life outside of work" and "I am indifferent or cynical about my work." Teams that did not focus on security were 40% more likely to agree or strongly agree with these statements.

In addition, teams that had the worst change failure rates and took the longest to deploy — anywhere from once a month to once every six months — also had high rates of burnout.