Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News Google 2022 Accelerate State of DevOps Report Finds Strong Culture Predictive of Strong Performance

Google 2022 Accelerate State of DevOps Report Finds Strong Culture Predictive of Strong Performance

Google has released their findings from the 2022 Accelerate State of DevOps Report. This year's report focused on security with a specific emphasis on the software supply chain. The report found a broad adoption of the inspected practices with organizations that have a high-trust, low-blame culture leading the way in both security and operational practices.

The report, now in its eighth year, has surveyed over 33,000 individuals. For this year, the team focused on supply chain security to better analyze the relationship between security and DevOps. To ground this review, they used the Supply-chain Levels for Secure Artifacts (SLSA) framework in conjunction with NIST's Secure Software Development Framework (SSDF). These two frameworks provide a number of practices, both technical and non-technical, that the respondents were asked about.

The report found that the majority of respondents reported at least partial adoption of every practice asked about. Using application-level security scanning as part of their CI/CD pipelines was the most commonly used practice, with 63% of respondents stating that this was "very" or "completely" established. The practices of preserving code history and using build scripts are also highly established. Metadata signing and requiring a two-person review process ranked lower in responses.

Respondents' statements around implementation of supply-chain security practices

Respondents' statements around implementation of supply-chain security practices (Source: Google)


One key finding is that the largest predictor of an organization's software security practices was not technical but instead cultural. Leveraging Westrum's organizational topology, high-trust, low-blame cultures focused on performance were significantly more likely to adopt emerging security practices than low-trust, high-blame cultures that focused on power or rules. Derek DeBellis, DORA Research Lead, and Clair Peters, DORA Research Lead, also share that:

Survey results indicate that teams who focus on establishing these security practices have reduced developer burnout and are more likely to recommend their team to someone else.

This finding is in line with another two-year study performed by Google. That study also found that high performing teams need a culture of trust and psychological safety coupled with meaningful, well defined work. The 2019 State of DevOps report found that a culture of psychological safety is predictive of software delivery performance, organizational performance, and general productivity.

The report uses five key metrics to classify teams as elite, high, medium, or low performers based on their deployment frequency, lead time to change, mean-time-to-restore, change fail rate, and reliability. Reliability was added as a key metric last year, expanding from only inquiring about availability, in order to better cover more aspects of reliability engineering.

The report also found that high performing teams are at a four-year low, with no elite performing teams this year, and a subsequent increase in the number of low performers. More teams landed as medium performers this year than in year's past showing a general trend towards slightly higher software delivery practices. The team is planning further research into this change, but currently hypothesize that the pandemic may have impacted teams' ability for innovation and collaboration.

The 2022 Accelerate State of the DevOps report is now available for download from Google.

About the Author

Rate this Article