A new report from Google Cloud has surprisingly found that the biggest predictor of an organization’s application-development security processes is cultural, not technical, among other findings on application security.

The 8th Annual State of DevOps report released today by Google Cloud’s DevOps Research and Assessment team focused on security this year given that more than 22 billion records were exposed to data breaches last year. Between data breaches and other malicious attacks, the report argues, security continues to be top of mind for organizations as they work to keep customer data safe and their businesses up and running.

To analyze the relationship between security and DevOps, the report explored the topic of software supply chain security. The DORA team used the Supply-chain Levels for Secure Artifacts framework, as well as the National Institute of Standards and Technology’s Secure Software Development Framework. Together, the frameworks allowed the exploration of the technical and nontechnical aspects that influence how an organization implements and thinks about software security practices.

The first key takeaway from the report is that there has been broad adoption of emerging security practices, with most respondents reporting at least partially adopting every practice asked about. Application-level security scanning as part of continuous integration/continuous delivery systems for production releases was the most common practice, with 63% of respondents saying this was “very” or “completely” established. Preserving code history and using build scripts are also highly established, while signing metadata and requiring a two-person review process have the most room for growth.

While delving deeper, the researchers, to their surprise, found that the most significant predictor of an organization’s software security practices was cultural, not technical. High-trust, low-blame cultures focused on performance were significantly more likely to adopt emerging security practices than low-trust, high-blame cultures focused on power or rules.

Survey results indicate that teams that focus on using emerging security practices have reduced developer burnout and are more likely to recommend their team to someone else. Organizational culture and modern development processes such as continuous integration were the biggest drivers of an organization’s software security and are the best place to start for organizations looking to improve their security posture.

The report also found that when it comes to DevOps, software delivery performance isn’t the whole picture — it can also contribute to the organization’s overall operational performance. A cluster analysis of categories and metrics found four distinct types of DevOps organizations. DevOps is the practice of combining software development and information technology operations teams to produce applications faster and better.

The first “Starting” cluster performs neither well nor poorly across any dimensions and typically may be in the early stages of its product, feature, or service development. The “Flowing” cluster performs well across all characteristics, with high reliability, high stability and high throughput, but only 17% of respondents achieve this flow state.

Respondents in the “Slowing” cluster are described as not deploying too often, but they are likely to succeed when they do. More than a third of responses fall into this cluster, making it the most representative of those surveyed. A final “Retiring” cluster is when teams are working on a service or application that is still valuable to them and their customers but no longer under active development.

Images: Pixabay, Google