Software supply chain security practices seeing only modest adoption

Feb 21, 2023 · 1 min read · Leave a comment
Aathira Nair GitLab profile

If you are wondering what area of DevSecOps has tremendous opportunity for impact, look no further than security of your software supply chain.

"Software supply chain security practices, embodied as the SLSA or SSDF frameworks, are already seeing modest adoption but are not seeing universal adoption yet. There is still a lot of room for improvement there," said Todd Kuleza, a member of Google Cloud's DevOps Research and Assessment (DORA) team and a senior user experience (UX) researcher at Google Cloud.

Kuleza, a co-author of the DORA team's 2022 State of DevOps Report, recently joined GitLab for a webcast to discuss software supply chain security adoption, including:

Listen to the full webcast to learn how to model your organization's security practices around the DevSecOps capabilities of high-performing teams.

The DORA metrics have become central to how we understand software delivery velocity and team performance. They have helped organizations transition to a data-driven approach for software delivery, inline with business goals.

Securing the software supply chain

From our own GitLab 2022 Global DevSecOps Survey, we learned that more than 50% of developers are "fully responsible" for security in their organizations. Meanwhile, the DORA team found that the greatest predictor for security practices is cultural, not technical: "High-trust, low-blame cultures focused on performance are more likely to have above average adoption of emerging security practices," according to their report.

The DORA report also states that organizations with low levels of security practices have 1.4x greater odds of having high levels of burnout than teams with high levels of security.

All told, this data demonstrates that security culture and technology together have to be a primary focus for DevSecOps teams going forward.

Learn more about the DORA metrics:

“We invite you to listen to our conversation with DORA researcher Todd Kuleza to find out how to improve software supply chain security best practices.” – Aathira Nair

Click to tweet

Open in Web IDE View source