State of DevOps 2021: Benefits of a Secure Software Supply Chain

As more and more organizations embrace digital transformation and ways of conducting business virtually, we have unfortunately seen a corresponding increase in the number of data breaches and cyberattacks. In 2020 alone, more than 22 billion confidential personal information or business data records were exposed, according to Tenable’s 2020 Threat Landscape Retrospective Report. These data breaches are more than just leaked bits of information, they have long-term implications for the people who trusted the impacted businesses with keeping their personal data secure. 

As a community, it’s tech’s responsibility to build services and applications that can be trusted by the people we serve. However, it requires a significant investment to make changes to how your team and organization operate. How will adding more security measures to your processes affect the outcomes your team and organization care about? The 2021 Accelerate State of DevOps Report highlights the way integrating security best practices throughout the software development process impacts a team’s ability to deliver and operate software as well as meet business goals. 

With seven years of research and more than 32,000 survey responses from industry professionals, the 2021 Accelerate State of DevOps Report examines the software development and DevOps practices that make teams and organizations most successful. This year, 1,200 working professionals from a variety of industries around the globe shared their experiences to help grow our understanding of the factors that drive higher performance, including security. 

Consistent with previous reports, we found that elite performers excel in implementing security best practices and were twice as likely to have security integrated with their software development process. This suggests that teams who have accelerated delivery while maintaining their reliability standards have found a way to integrate security checks and practices without compromising their ability to deliver software quickly or reliably. 

In addition to exhibiting high delivery speed and operational performance, teams who integrate security best practices throughout their development process are 1.6 times more likely to meet or exceed their organizational goals.

Teams that embrace security drive significant value to the business, but what meaningful steps should be taken to see these benefits? The table below shows the percentage of respondents from the 2021 Accelerate State of DevOps Report who leverage specific security best practices. Consider implementing these practices in your organization to ensure you maintain a secure software development life cycle: 

Security best practice
Test for security. Test security requirements as a part of the automated testing process, including areas where pre-approved code should be used. 58%
Integrate security review into every phase. Integrate information security (infosec) into the daily work of the entire software delivery life cycle. This includes having the infosec team provide input during the design and architecture phases of the application, attend software demos and provide feedback during demos. 54%
Security reviews. Conduct a security review for all major features.  60%
Build pre-approved code. Have the infosec team build pre-approved, easy-to-consume libraries, packages, toolchains and processes for developers and IT operations to use in their work. 49%
Invite infosec early and often. Include the security engineering team during planning and all subsequent phases of application development, so that they can spot security-related weaknesses early and give the team ample time to fix any vulnerabilities identified.  63%

This year’s report investigated a variety of capabilities and practices that drive performance, and security was just one. In the 2021 Accelerate State of DevOps Report, we also examined the effects of SRE best practices, the pandemic and burnout, quality documentation and we revisited our exploration of how organizations are leveraging the cloud. If you’d like to read the full report or any previous report, you can visit cloud.google.com/devops.

Featured eBook
Managing the AppSec Toolstack

Managing the AppSec Toolstack

The best cybersecurity defense is always applied in layers—if one line of defense fails, the next should be able to thwart an attack, and so on. Now that DevOps teams are taking  more responsibility for application security by embracing DevSecOps processes, that same philosophy applies to security controls. The challenge many organizations are facing now … Read More