{"id":1954,"date":"2022-07-29T11:21:41","date_gmt":"2022-07-29T11:21:41","guid":{"rendered":"https:\/\/tomgeraghty.co.uk\/?p=1954"},"modified":"2023-05-09T19:57:41","modified_gmt":"2023-05-09T19:57:41","slug":"the-state-of-devops-report-2022","status":"publish","type":"post","link":"https:\/\/tomgeraghty.co.uk\/index.php\/the-state-of-devops-report-2022\/","title":{"rendered":"The State of DevOps Report 2022"},"content":{"rendered":"<p>This year, the <a href=\"https:\/\/cloud.google.com\/blog\/products\/devops-sre\/dora-2022-accelerate-state-of-devops-report-now-out\">Google \/ DORA State of DevOps Report<\/a> dived deeper into information security. In 2021, the report highlight the importance of Secure Software Supply Chains &#8211; building in security throughout the software development cycle and supply chain.\u00a0\u00a0The research leveraged the <a href=\"https:\/\/slsa.dev\/\">Supply Chain Levels for Secure Artifacts (SLSA)<\/a> framework\u00a0in conjunction with NIST&#8217;s\u00a0<a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/sp\/800-218\/final\">Secure Software Development Framework (SSDF)<\/a>\u00a0to explore technical<br \/>\npractices that support the development of software supply chain security.<\/p>\n<p><a href=\"https:\/\/services.google.com\/fh\/files\/misc\/2022_state_of_devops_report.pdf\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1989 size-full\" src=\"https:\/\/tomgeraghtywordpress.s3-eu-west-1.amazonaws.com\/2022\/11\/Screenshot-2022-11-14-at-12.06.00.png\" alt=\"\" width=\"736\" height=\"291\" srcset=\"https:\/\/tomgeraghty.co.uk\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-14-at-12.06.00.png 736w, https:\/\/tomgeraghty.co.uk\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-14-at-12.06.00-300x119.png 300w\" sizes=\"auto, (max-width: 736px) 100vw, 736px\" \/><\/a><\/p>\n<p>You can see from the chart above that this year&#8217;s results show a clustering in the medium performer group. The authors consider that this may be a result of not having data from the elite performers this year, or an effect of the pandemic restricting the ability of teams to innovate practices. It&#8217;s also worth noting that the floor has risen: this years low performers perform better than last year, so whilst the ceiling is lower, the floor is higher.<\/p>\n<p>This year&#8217;s report showed that\u00a0high-trust, low-blame cultures focused on performance were 1.6x more likely to have above average adoption of emerging security practices than low-trust, high-blame cultures focused on power or rules.\u00a0 This reflects the difference between <a href=\"https:\/\/psychsafety.co.uk\/psychological-safety-73-safety-i-safety-ii\/\">Safety I and Safety II approaches<\/a>, originally coined by <a href=\"https:\/\/erikhollnagel.com\/\">Erik Hollnagel<\/a>. Cultures that focus largely on avoidance of risk, and implementing rules or procedures to prevent risk actually perform worse over time than cultures focussed on looking at &#8220;what went well&#8221;, not just &#8220;what went wrong&#8221;.<\/p>\n<p>The report showed that generative organisational cultures, as described by <a href=\"https:\/\/psychsafety.co.uk\/psychological-safety-81-westrums-cultural-typologies\/\">Westrum&#8217;s Cultural Typologies<\/a>, tend towards being higher performing. Alongside that, other drivers of high organisational performance were:<\/p>\n<ul>\n<li>Team stability and longevity<\/li>\n<li>Transparency and confidence in funding<\/li>\n<li>Opportunities to work more flexibly<\/li>\n<\/ul>\n<p>From a technological perspective, the capabilities that contribute most to high performance are version control, continuous integration, continuous delivery, and loosely coupled architecture.<\/p>\n<p><a href=\"https:\/\/cloud.google.com\/blog\/products\/devops-sre\/dora-2022-accelerate-state-of-devops-report-now-out\"><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1988 size-medium\" src=\"https:\/\/tomgeraghtywordpress.s3-eu-west-1.amazonaws.com\/2022\/11\/Screenshot-2022-11-14-at-11.13.52-235x300.png\" alt=\"\" width=\"235\" height=\"300\" srcset=\"https:\/\/tomgeraghty.co.uk\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-14-at-11.13.52-235x300.png 235w, https:\/\/tomgeraghty.co.uk\/wp-content\/uploads\/2022\/11\/Screenshot-2022-11-14-at-11.13.52.png 328w\" sizes=\"auto, (max-width: 235px) 100vw, 235px\" \/><\/a><\/p>\n<p>Interestingly, less experienced teams who implemented trunk-based development actually\u00a0have less positive results around<br \/>\ntrunk-based development and see:<\/p>\n<ul>\n<li>Decreased overall software delivery performance<\/li>\n<li>Increased amounts of unplanned work<\/li>\n<li>Increased error-proneness<\/li>\n<li>Increased change failure rate<\/li>\n<\/ul>\n<p>However, more experienced teams show significant benefits and\u00a0the presence of trunk-based development shows a positive impact on overall organisational performance. This is likely both an effect of the <a href=\"https:\/\/medium.com\/@ahmed.abouzaid\/devops-j-curve-and-change-management-agile-6436d0a0a2c1\">J-Curve effect<\/a> and\u00a0the additional practices required to successfully implement Trunk-based development. The lesson for teams: keep going!<\/p>\n<p>An interesting key finding is that\u00a0the <a href=\"https:\/\/services.google.com\/fh\/files\/misc\/2022_state_of_devops_report.pdf\">State of DevOps 2022<\/a> evidence suggests that healthy, high-performing teams also tend to have good security practices broadly established. This is reinforced by evidence from other industries that <a href=\"https:\/\/psychsafety.co.uk\/psychological-safety-84-guardrails-and-failure\/\">guardrails of any kind help to reinforce psychological safety on teams<\/a>. Last year&#8217;s <a href=\"https:\/\/tomgeraghty.co.uk\/index.php\/the-accelerate-state-of-devops-report-2021\/\">(State of DevOps 2021) report<\/a> showed that Secure Software Supply Chains that integrate security practices into pipelines and processes, enable teams to deliver secure software quickly, safely and reliably.<\/p>\n<p>An important aspect to consider is that\u00a0technical capabilities have a positive impact on SLSA-related practices and through this positive impact on SLSA related practices have a positive impact on both software delivery performance and organisational performance.\u00a0 That is to say that SLSA practices and\u00a0continuous integration, version control and continuous delivery capabilities are a virtuous cycle: the capabilities built through CI, CD and version control are the same capabilities that enable teams to adopt and improve SLSA practices.<\/p>\n<p>Finally, a point on SRE and the \u201c<a href=\"https:\/\/www.blameless.com\/blog\/error-budget\">error budget<\/a>\u201d framework: the report shows that software delivery performance alone does not predict organisational success. Excellent software delivery combined with high reliability (high <a href=\"https:\/\/openpracticelibrary.com\/blog\/accelerate-metrics-software-delivery-performance-measurement\/\">DORA Metrics<\/a> in this case) correlate with organisational success. Which makes sense: when a service is unreliable, users won\u2019t benefit from pushing code faster into that<br \/>\nfragile context.<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This year, the Google \/ DORA State of DevOps Report dived deeper into information security. In 2021, the report highlight the importance of Secure Software Supply Chains &#8211; building in security throughout the software development cycle and supply chain.\u00a0\u00a0The research leveraged the Supply Chain Levels for Secure Artifacts (SLSA) framework\u00a0in conjunction with NIST&#8217;s\u00a0Secure Software Development &hellip; <\/p>\n<p class=\"link-more\"><a href=\"https:\/\/tomgeraghty.co.uk\/index.php\/the-state-of-devops-report-2022\/\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;The State of DevOps Report 2022&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-1954","post","type-post","status-publish","format-standard","hentry","category-blog"],"_links":{"self":[{"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/1954","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/comments?post=1954"}],"version-history":[{"count":10,"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/1954\/revisions"}],"predecessor-version":[{"id":2080,"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/posts\/1954\/revisions\/2080"}],"wp:attachment":[{"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/media?parent=1954"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/categories?post=1954"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/tomgeraghty.co.uk\/index.php\/wp-json\/wp\/v2\/tags?post=1954"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}