The document discusses findings from a survey on developer attitudes towards security and DevOps practices. It highlights that happy developers produce more secure code, with key metrics showing a significant correlation between job satisfaction and mature DevOps practices. Additionally, it emphasizes the importance of application security training and the integration of security tools in improving developer engagement and productivity.

1. APRIL 17, 2020
Why Happy Developers Create
More Secure Code
DJ Schleen | DevSecOps Advocate, Sonatype
Derek E. Weeks | Co-founder, All Day DevOps

2. In God we trust,
all others
bring bata.”
- W. Edwards Deming
“

3. 2020
2019
2018
2016
2017
2015
2014
Our 1st survey
1st DORA Report
Heartbleed vuln.
Equifax breach. 88% of those with
mature DevOps practices are
investing in application security
training.
7th annual survey
48% of developers don't have
enough time to spend on security

4. The top 10 countries represented were:
● United States
● United Kingdom
● India
● Canada
● Australia
● Spain
● Netherlands
● Germany
● Singapore
● Israel
5,045
people shared their
views for this survey.

5. Where Do
You
Come
From?

6. What Is
Your
Quest?

7. vs.

8. vs.
@weekstweets
@djschleen

9. Source: Gallup
Note: 2019 results are for January through June
2000 2002 2004 2008 2010 2012 2014 2016 20182006
U.S. Employee
Engagement Trend
Annual averages
0
10
20
30
40
50
% Engaged % Actively Disengaged
26
30
28
26
30
28 30
32
33 34
18
16
17
15
20
18 18 17
14
13
53%
were“not engaged”

10. Coming together is a beginning.
Keeping together is progress.
Working
together is
success”
- Henry Ford
“

11. Westrum’sThree Cultures
Model

12. Who cause the most
friction on your team?
@weekstweets
@djschleen
10% of Happy
Developers
say “Nothing”
80%
dissatisfied with
management are
disengaged.

13. Friction
is a force that slows things down

15. Job satisfaction is higher in
mature DevOps practices
1.6x less
likely
to recommend
employer
1.5x
happieremployees
1.3x more
likely
to get
work done

16. How are you informed of
application security issues?
Happy developers are informed 1.3x more
by tooling and 3.8x less by rumor

17. The only person who is educated
is the one who has learned how to
learn and
change.”
- Carl Rogers
“

18. What application security training is
available to you?

19. Take one person per team.
Invite everyone.
Provide curated training by technology.
Have one meeting per month.
Instant Security
Champion
Program

20. Gallup discovered the top 25 best
managed and engaged teams had
50% fewer
accidents
41% fewer
quality defects

21. Developers who receive training on
how to code securely are
5x more likely
to enjoy their
work.

22. How frequently do you deploy to production?
55%
deploy at least
once per week

23. Over the past decade the
average time to exploit
dropped from 45 days to
3 days

24. The software supply chain and
vulnerable component usage
remains a
massive
problem

25. Open source component related breaches continue to
drop but still occur way too often.

26. Mature DevOps practices are more aware
of breaches than immature practices.

27. if a developer ever has a choice
between working on a feature or
developer productivity, they should
always choose
developer
productivity.”
- Gene Kim, The Unicorn Project
“

28. What security tools do you use?

29. Integrationof securitytooling is hard
Are your tools properly integrated?

31. Open SourceContributions arewelcome!

33. Derek Weeks
@weekstweets
DJ Schleen
@djschleen
Thank You!