- Organizations that use automated tools to develop and integrate applications on a consistent basis are more likely to have mature security practices in place, according to Google Cloud’s 2022 Accelerate State of DevOps Report.
- The combined practice of continuous integration and continuous delivery (CI/CD) is a leading indicator of an organization’s adoption of advanced practices associated with software supply chain security, the report said.
- Nearly two-thirds of respondents said CI/CD was very or completely established at their organization. By extension, the majority of respondents reported guidance in the Supply Chain Levels for Software Artifacts framework and the National Institute for Standards and Technology’s Secure Software Development Framework are established within their organization.
Modern development principles are crucial for enabling additional technologies and frameworks that benefit the security structure of an organization.
Application-level security scanning, which can be automated in CI/CD systems, was the most common security practice among respondents. Organizations that use these tools were also nearly twice as likely to report identifying a security vulnerability in their code or one of its dependencies, said Claire Peters, lead researcher on Google Cloud’s DevOps Research and Assessment (DORA) team.
“Without continuous integration in place, it's probably difficult for an organization to ensure that they're running a consistent set of scanners, linters and tests against the software artifacts they create,” Peters said.
Organizations that automate application-development security practices oftentimes make security less onerous for developers, the research found.
To that point, Peters said an organization’s culture, with respect to cooperation and shared risks and responsibilities, is “the biggest predictor of an organization’s application development security practices.”
Those outcomes hinge more on cultural factors, Peters said, not technical.