Puppet has just released the 10 year anniversary version of their annual State of DevOps Report. We were excited to partner with Puppet to bring awareness to this study and the results. A lot has changed since the first report—ten years ago, only 9% of respondents knew what DevOps was!
Every year, there are some very important findings and this year is no exception. Here are just some of the findings we found interesting in the report.
The role of automation
Overall, one of the common threads across the report was that DevOps requires automation, but automation alone does not make DevOps. 90% of high-performing teams said they automate repetitive tasks versus 25% of low-performing teams. After all, you can’t do hourly releases without automation, but you also can’t reach minimal change failure rates without cultural alignment, collaboration, and buy-in between organizations sharing their expertise in their specialty. This was one of my favorite quotes from the report:
“Automating repetitive tasks gives you the breathing room you need to step back and address strategic issues, particularly if you can move beyond just automating your own work, and start delivering value to other teams via self-service functionality, freeing you from the constant context switching of responding to external requests as they come in.”
The idea here is that tools, like Bridgecrew, automate away some of the day-to-day toil for security and ops teams. This resolves many of the low-hanging, frequent issues that cause alert fatigue. That clears up time to address more difficult problems like cultural alignment and deeper analysis and helps deliver a self-service platform that developers can use to securely design and deliver applications.
One trend I’ve seen from our customers was reinforced by the study. DevOps cultures are most effective when there is support from the top-down and bottom-up. This is apparent in the report when they cite that 31% of low-performing teams and 21% of mid-performing teams face organizational resistance to change, but it doesn’t show up in the top issues faced by high-performing teams. When there isn’t top-down buy-in, you see pockets of DevOps practices, but resistance to company-wide adoption. This creates friction even for the teams adopting DevOps when they run into cross-organizational friction.
What about DevSecOps?
When it comes to security, the report includes a great debate about the best way to include Security in DevOps. We won’t give away all of the details of both sides of the debate, but there is one definitive finding—high-performing organizations have shifted security left. In fact, 51% of high-performing organizations include security in the requirements phase and 61% in the design phase.
That’s even further left than the build and runtime phases. This is in stark contrast to low-performing organizations that largely wait for an audit or an incident to perform security reviews. Resolving issues after an audit or incident creates undue stress and even more work for overtaxed teams than addressing issues before new code is pushed to production.
Check out this year’s report for more detail and in-depth analysis of the current state of DevOps adoption today and join Puppet and Bridgecrew for a webinar discussing the paper and the security implications on September 28th!