2022 Accelerate State of DevOps Report PDF

Summary

The 2022 Accelerate State of DevOps Report is a comprehensive analysis of software supply chain security and organizational performance, drawing on responses from 33,000 professionals. It explores metrics of software delivery performance, operational and organizational performance, and the factors impacting these outcomes, including burnout, and team recommendations.

Full Transcript

v. 2022-12

2022 Accelerate
State of DevOps Report

Sponsored by
Table of contents

01 Executive summary 03
06 Demographics and
Firmographics 59

02 Hyou
ow do
compare? 08
07 Final thoughts 67

03 Hyou
ow do
improve? 08 Acknowledgements 68

Introduction 19

Cloud 21 09 Authors 69

SRE and DevOps 26

Technical DevOps Capabilities

Culture
29

37
10 Methodology 73

04  Why supply chain 11 Further reading 76

security matters 42

12 Appendix 78

05 Surprises 55

Accelerate State of DevOps 2022 v. 2022-12 Contents 2
01
Executive summary Derek DeBellis Claire Peters

For the last eight years, we have produced the
Accelerate State of DevOps report, hearing from
33,000 professionals along the way. Our research
focuses on examining how capabilities and
practices predict the outcomes that we consider
central to DevOps:

Software delivery performance – The Four Key
Metrics of software delivery performance:
deployment frequency, lead time for changes,
change failure rate, and time to restore service.

Operational performance – The Fifth Key
Metric, reliability.

Organizational performance – How well
your organization meets performance and
profitability goals.

We also focus on the factors that underlie
other outcomes like burnout and the
likelihood that employees will recommend
their teams.

Accelerate State of DevOps 2022 v. 2022-12 Executive summary 3
Securing the
software supply chain

In 2021, we found that securing the software Adoption of good application development security
supply chain is essential to reaching many practices was correlated with additional benefits.
important outcomes. We found that teams that focus on establishing
these security practices have reduced developer
This year we dug deeper on software supply chain burnout; teams with low levels of security practices
security, making it a primary theme of our survey have 1.4x greater odds of having high levels of
and report. We leveraged the Supply Chain Levels for burnout than teams with high levels of security.1
Secure Artifacts (SLSA) framework to explore technical The teams that focus on establishing security
practices that support the development of software practices are significantly more likely to
supply chain security. We also used the National recommend their team to someone else. Further,
Institute for Standards and Technology’s Secure SLSA-related security practices positively predict
Software Development Framework (NIST SSDF) both organizational performance and software
to explore attitudes, processes, and non-technical delivery performance, but this effect needs
practices related to securing the software supply chain. strong continuous integration capabilities
in place to fully emerge.
We found that the biggest predictor of an
organization’s application-development security
practices was cultural, not technical: high-trust,
low-blame cultures focused on performance were
1.6x more likely to have above average adoption of
emerging security practices than low trust, high-
blame cultures focused on power or rules. We also
found early evidence suggesting that pre-deployment
security scanning is effective at finding vulnerable
dependencies, resulting in fewer vulnerabilities in
production code.

1 We conceptualize high in this stat as >= 1 standard deviation on the score (e.g. security) and low as