To build secure software, team culture matters more than technology, according to the 2022 version of the State of DevOps report

Google recently released the results of the 2022 Accelerate State of DevOps report. This year, the report focused on security, with an emphasis on the software supply chain. The goal was to better understand the relationship between security and DevOps. The report found widespread adoption of the practices inspected, with organizations that have a culture of high trust and low blame taking the lead in operational and security practices. The authors also found an increase in poor outcomes, from 7% in 2021 to 19% this year.

The Accelerate State of DevOps report has been published annually since 2014 by Google’s DevOps Research and Assessment (DORA) team. The team says it has surveyed 33,000 practitioners worldwide since 2014, covering all major business sectors. This year’s Accelerate State of DevOps report is based on the results of a survey of 1,350 professionals – 68% of whom work in development, engineering or IT operations and infrastructure – from well-balanced organizations. larger (with more than 10,000 employees) and small (20-99 employees).

This year’s edition reports a decline in what the team calls “software operational performance” since last year, an increase in cloud usage, and the fact that CI/CD (Continuous Integration/Continuous Delivery) is critical to software security. The researchers also conclude that for developing secure software, a strong culture of collaboration is more important than any technical characteristic. Below are the highlights from the 2022 edition of Google’s Accelerate State of DevOps report.


The team continued its research in 2021 on software supply chain security by examining technical practices that improve software supply chain security and non-technical practices that impact an organization’s ability to excel in software supply chain security. securing its software supply chain. She relied on two frameworks to guide her research: NIST’s Supply Chain Levels for Software Artifacts (SLSA) and Secure Software Development Framework (SSDF). The main conclusions in this area are:

  • shifting left in safety is a widely adopted practice. The study shows that two-thirds of respondents actively pursue securing the software supply chain by integrating security seamlessly into the development process;
  • culture is the primary driver for the adoption of security practices. One might expect technology to be the primary driver, but research has shown that a generative organizational culture (eg, performance-oriented, highly cooperative, risk-sharing) leads to healthier software practices;
  • technical practices around CI/CD predict security success. Companies that use source control, continuous integration (CI), and continuous delivery (CD) have more established SLSA practices. These practices transfer security to developers and ensure consistent security analysis;
  • the cloud enables secure software practices. The five characteristics of cloud computing defined by NIST enable the successful adoption of software supply chain security which, in turn, predicts better organizational performance.

We found that the biggest predictor of an organization’s application development security practices was cultural, not technical. Cultures based on trust and blame, and focused on performance, were 1.6 times more likely to adopt above-average emergent safety practices than cultures based on trust and blame, and focused on power or the rules,” the report says. Since the collaborative culture is also aligned with other aspects of successful software teams, that is perhaps the key message here.

If there’s a problem, it’s best to fix the organizational culture first, and improving developer performance, including security, will follow. People and interactions take precedence over processes and tools, the Agile Manifesto said in 2001, and it seems that hasn’t changed. Additionally, the report adds that companies that prioritize and excel in securing the software supply chain experience fewer downtimes, anticipate fewer security breaches, and exhibit high levels of performance.

The data also showed that through the use of modern practices such as continuous integration, teams can improve their security posture and even amplify the positive impact of these security practices on software delivery metrics (MTTR, deployment frequency, service restoration time) and overall organizational performance.


As highlighted above, the greatest predictor of application development security practices is the adoption of a generative organizational culture based on risk and information sharing. Moreover, the study seems to indicate that elements of this type of culture lead to better overall organizational performance. Research has shown that high organizational performance can be achieved by fostering environments that are:

  • solidarity[/B] : According to the report, teams that feel supported and benefit from leadership support (e.g., greater financial support, greater resource allocation, sponsorships, etc.) are associated with high performing organizations ;
  • stable : Teams whose composition has not changed much in the last 12 months are more likely to be part of high performing organizations;
  • flexible : Organizations that provide greater flexibility around where to work—remote, in-person, or hybrid—perform better overall.

Again this year, the team focused on burnout and broadened the scope of the study to understand what elements of culture contribute to lower levels of burnout. She found that generative culture, team stability, and work flexibility all contributed to a reduction in employee burnout.


In the 2022 edition of Google’s Accelerate State of DevOps report, the team says public cloud usage is up 36% from 2021, while companies reporting no cloud usage are down 50%. %. Hybrid cloud usage is up 25%. Additionally, the report notes that unsurprisingly, the use of cloud computing has been associated with better organizational performance. Respondents who used the cloud were 14% more likely to exceed organizational performance goals, the researchers found.

The team recalls that in previous years it has found that it was not “cloud use” per se that drove organizational performance, but rather the realization of the five essential characteristics of cloud computing: notably free -service on demand, wide access to the network, pooling of resources, rapid elasticity and measured service. This year, she found that cloud computing enabled things like reliability, continuous delivery, and improved supply chain security, which are the drivers of organizational success.

More than 50% of respondents to the survey said they use multiple cloud computing providers. The team asked respondents how they benefited from using multiple cloud computing providers. Here are the three main ones:

  1. availability ;
  2. exploiting the unique advantages of each supplier ;
  3. trust is spread across multiple vendors.

Since reliability seems to be the key to a successful software delivery shop and organization, it’s no surprise that uptime is cited by nearly 63% of respondents as a benefit resulting from using multiple clouds.


According to the team, in previous years, their research told them that those who excel in technical practices also excel in organizational performance. This year, it has more nuanced data on this subject. This year, she found that software delivery does not predict good business outcomes unless these practices are coupled with reliability. Think about it: will a customer be satisfied with the new features if the service is not stable? What is the advantage of quickly introducing code into a fragile environment?

Thus, researchers claim that reliability is an essential component of improving organizational performance through software delivery performance. They also find that the impact of site reliability engineering (SRE) on organizational performance is not linear; Reliability engineering practices often do not translate to additional reliability or organizational performance until a certain maturity is reached.

The report also indicates that it is important for teams to know this and consider their SRE practice as an investment. Initially, there probably won’t be any glitter and unicorns as you develop reliability, but as you progress you’ll likely achieve high performance and success, the team explains.

Source: The 2022 edition of the Accelerate State of DevOps report

And you?

What do you think of the conclusions of the 2022 edition of the Accelerate State of DevOps report?

See as well

It’s culture, not technology, that stands in the way of DevOps success, according to a report by infrastructure automation specialist Puppet

The 2021 Accelerate State of DevOps report focuses on burnout and team performance: key takeaways

The five stages of DevOps evolution identified by the state of devops 2018, presented by Puppet and Splunk

DevOps teams are increasingly moving towards an approach where the services that allow them to build and deploy their apps are provided internally, according to the 2020 edition of the State of DevOps

Leave a Comment