If you are wondering what area of DevSecOps has tremendous opportunity for impact, look no further than security of your software supply chain.
"Software supply chain security practices, embodied as the SLSA or SSDF frameworks, are already seeing modest adoption but are not seeing universal adoption yet. There is still a lot of room for improvement there," said Todd Kuleza, a member of Google Cloud's DevOps Research and Assessment (DORA) team and a senior user experience (UX) researcher at Google Cloud.
Kuleza, a co-author of the DORA team's 2022 State of DevOps Report, recently joined GitLab for a webcast to discuss software supply chain security adoption, including:
- Why teams choose CI/CD and other modern development processes to improve their security posture
- How automated security checks within integration and deployment help developers own security processes
- How to establish team security practices to reduce developer burnout
Listen to the full webcast to learn how to model your organization's security practices around the DevSecOps capabilities of high-performing teams.
The DORA metrics have become central to how we understand software delivery velocity and team performance. They have helped organizations transition to a data-driven approach for software delivery, inline with business goals.
Securing the software supply chain
From our own GitLab 2022 Global DevSecOps Survey, we learned that more than 50% of developers are "fully responsible" for security in their organizations. Meanwhile, the DORA team found that the greatest predictor for security practices is cultural, not technical: "High-trust, low-blame cultures focused on performance are more likely to have above average adoption of emerging security practices," according to their report.
The DORA report also states that organizations with low levels of security practices have 1.4x greater odds of having high levels of burnout than teams with high levels of security.
All told, this data demonstrates that security culture and technology together have to be a primary focus for DevSecOps teams going forward.
Learn more about the DORA metrics:
“We invite you to listen to our conversation with DORA researcher Todd Kuleza to find out how to improve software supply chain security best practices.” – Aathira Nair
Click to tweet