Happy developers more likely to build secure apps

There’s an intrinsic link between developer happiness and application security hygiene, and an alarming level of application breaches, according to Sonatype.

For the first time ever, the findings prove the correlation between developer happiness and application security hygiene, with happy developers 3.6x less likely to neglect security when it comes to code quality. Happy developers are also 2.3x more likely to have automated security tools in place, and 1.3x more likely to follow open source security policies.

In addition, the findings showed that developers working within mature DevOps practices are 1.5x more likely to enjoy their work, and 1.6x more likely to recommend their employer to prospects, highlighting the significant role DevSecOps transformations play in both application security and developers’ job satisfaction.

The study also revealed that 28% of mature organizations are aware of an open source component-related breach in the past 12 months, compared to 19% of respondents with immature DevOps practices.

The importance of mature DevOps practices

While breaches appear higher for mature DevOps practices, industry advocates point to cultural differences that reward open communication, welcome new information, and encourage tighter collaboration between developer and security tribes.

“Developer happiness based on mature DevOps practices is fundamental to the quality and delivery of secure software,” said Derek Weeks, Vice President at Sonatype.

“By introducing mature DevOps practices, businesses can not only innovate faster, they can enhance their development teams’ job satisfaction, and ultimately differentiate themselves as employers – critical when so many companies face significant skills shortages and increased competition.

Development velocity is accelerating rapidly

55% of respondents deploy code to production at least once per week, compared to 47% of respondents in 2019. As year over year velocity increased, 47% developers continued to admit that while security was important, but they did not have time to spend on it – a finding consistent with the same survey in 2018 (48%) and 2019 (48%).

High automated security investments

Automated security investments are highest, with open source governance (44%), web application firewalls (59%), and intrusion detection (42%).

The greatest differences in investment priorities between mature and immature DevOps programs are seen across Container Security, with mature practices investing 2.2x more than immature practices; this is closely followed by investments in Dynamic Analysis (DAST) and Software Composition Analysis (SCA), with 2.1x and 1.9x more respectfully.