Derek Weeks, co-founder of AllDayDevOps, and DJ Schleen, a tech advocate for Sonatype, want to show you why happy developers create more secure code...with data!
Deming and Data
The industry has collected a lot of data over the years, from what makes an organization high performing, to what makes developers happy. Today, we’ll look at some data in the spirit of W. Edwards Deming, a quality specialist who loved to dive deep into data.
We will look at survey results from people across the community over a period of months. This data comes from multiple organizations that helped build the 2020 DevSecOps Community Survey.
A Quick History of Surveys
Sonatype and its partners have been surveying people for a few years now. They started in 2014, near the time the Heartbleed vulnerability was discovered. Since then, the survey focused more on software security.
Who Responded to This Survey?
In the most recent iteration of the survey, 5,045 people shared their responses across 102 countries and across many different industries, although mostly in technology. Respondents identified what their role was in their organization. There have been some changes in the survey year over year.
This year saw a rise in people who call themselves “DevSecOps specialists”. It also had more people slotting themselves into security-focused roles. This says that more people are thinking about security as being at the forefront of their job.
In this survey, Sonatype wanted to hone in on who was just starting their DevSecOps journey and who was considered elite in the industry. There's a chance we can find some interesting data by delving into these differences.
Sonatype also strived to contrast those who were happy in their organizations versus who may be dissatisfied in their current positions. They then looked at the characteristics of those results.
To supplement this contrast, there was a Gallup poll that surveyed employee engagement in the US from 200 to 2018:
It shows that over 50% of people are actively disengaged from their organization and the work that they do.
There is common wisdom that says happier employees will make the organization as a whole more effective, and this shows that many companies have improvements to make.
Thinking About Culture
In general, there are three categories of culture in an organization:
- Pathological, or power-oriented.
- Bureaucratic, or rule-oriented.
- Generative, or performance-oriented.
Organizations should strive to be generative. Generative organizations are highly cooperative and are constantly improving their effectiveness through learning and risk sharing.
Non-generative organizations will create employee dissatisfaction. For example, blaming a team for not meeting sprint commitments will dishearten developers. They may actually pull less work from the backlog in order to ensure they do not get blamed again.
Sonatype’s survey asked participants who cause the most friction versus satisfaction for them:
The survey, combined with the Gallup poll, found that happy developers said there was no friction. But 80% of the employees said management was the biggest source of friction and were dissatisfied and disengaged from their work.
Reducing Unhealthy Friction
When we talk about friction, take into account that not all friction is bad. Friction can be healthy, slowing things down in order to increase quality. When friction is found, it is often good to automate processes so that preferred protocols are followed more often.
When it comes to unhealthy friction, we want to look at cultural aspects that can affect friction for better or for worse. For example, a caring culture can perform highly at communication and engagement but have friction in over-consensus and decision by committee. In contrast, a results-oriented culture can produce high stress but can achieve high throughput of software delivery.
Job Satisfaction and DevOps
We know that DevOps practices reduce unhealthy friction and automate healthy friction, but how does that affect job satisfaction?
Survey results showed that organizations with mature DevOps practices had much higher job satisfaction. In fact, more than 82% of developers with mature DevOps practices said they would recommend their company to potential job seekers.
Happy Developers and Security
How are these happy developers thinking about security? Survey results show that they are informed 1.3x more by tooling and informed 3.8x less by rumor when compared to unhappy developers.
Also, satisfied developers actively research and pursue security knowledge for their teams:
Happy developers educate themselves more frequently. This leads to learning and changing their organization for the better. Happy developers have more e-learning available to them and are more likely to have security training in some fashion. Finally, happy developers act as a first line of defense in security.
How Can We Encourage Happier Developers To Learn More Security?
How can we help developers go from grumpy to happy with security? We can take one person from each team and create a security champion program. Invite everyone, but have these members be the champions for learning security. Host it once a month and supplement it with security training sessions.
According to the Sonatype survey, developers who receive training like this will be happier and more engaged.
Deployment and Vulnerability Exposure
With both unhappy and happy developers, at least 55% said they deploy to production at least once a week. This is a significant improvement over past surveys.
In fact, over the past decade, the average time from a vulnerability being discovered to when it is patched has dropped from 45 to 3 days.
We are seeing these happier developers actively reducing vulnerability exposure rates through mature DevOps practices like fast, automated deployments.
In the open source community, we are seeing breaches continue to drop, but they still occur frequently.
One in five open source components still have breaches.
To help combat this, we can see that organizations with mature DevOps practices are more aware of breaches than ones with immature practices by 4%–9%.
What Security Tools Make People More Productive?
What security tools make developers more mature in DevOps and productive? The survey finds that automation is key to enabling both security and productivity. Many of the tools that have a big impact are ones like application firewalls—tools that automatically detect and block vulnerable communication. Productive teams have these tools properly integrated. It is hard work, but mature teams make the investment.
The most recent survey results revealed a lot of information about how happier developers are more productive and produce more secure software. Happiness influences includes everything from the business culture, to the kinds of automation in place, and what tools are integrated into the development process. Happier developers are also well-trained and actively engaged in their team’s security practices.
This post was written by Mark Henke. Mark has spent over 10 years architecting systems that talk to other systems, doing DevOps before it was cool, and matching software to its business function. Every developer is a leader of something on their team, and he wants to help them see that.
Photo by Lidya Nada