Blog Security Software supply chain security practices seeing only modest adoption
Published on: February 21, 2023
2 min read

Software supply chain security practices seeing only modest adoption

DORA Accelerate State of DevOps report shows opportunity lies within better security practices, including a focus on culture.


If you are wondering what area of DevSecOps has tremendous opportunity for impact, look no further than security of your software supply chain.

"Software supply chain security practices, embodied as the SLSA or SSDF frameworks, are already seeing modest adoption but are not seeing universal adoption yet. There is still a lot of room for improvement there," said Todd Kuleza, a member of Google Cloud's DevOps Research and Assessment (DORA) team and a senior user experience (UX) researcher at Google Cloud.

Kuleza, a co-author of the DORA team's 2022 State of DevOps Report, recently joined GitLab for a webcast to discuss software supply chain security adoption, including:

  • Why teams choose CI/CD and other modern development processes to improve their security posture
  • How automated security checks within integration and deployment help developers own security processes
  • How to establish team security practices to reduce developer burnout

Listen to the full webcast to learn how to model your organization's security practices around the DevSecOps capabilities of high-performing teams.

The DORA metrics have become central to how we understand software delivery velocity and team performance. They have helped organizations transition to a data-driven approach for software delivery, inline with business goals.

Securing the software supply chain

From our own GitLab 2022 Global DevSecOps Survey, we learned that more than 50% of developers are "fully responsible" for security in their organizations. Meanwhile, the DORA team found that the greatest predictor for security practices is cultural, not technical: "High-trust, low-blame cultures focused on performance are more likely to have above average adoption of emerging security practices," according to their report.

The DORA report also states that organizations with low levels of security practices have 1.4x greater odds of having high levels of burnout than teams with high levels of security.

All told, this data demonstrates that security culture and technology together have to be a primary focus for DevSecOps teams going forward.

Learn more about the DORA metrics:

We want to hear from you

Enjoyed reading this blog post or have questions or feedback? Share your thoughts by creating a new topic in the GitLab community forum. Share your feedback

Ready to get started?

See what your team could do with a unified DevSecOps Platform.

Get free trial

Find out which plan works best for your team

Learn about pricing

Learn about what GitLab can do for your team

Talk to an expert