To Boost Software Supply Chain Security, Stop the Finger-Pointing

Google’s annual DevOps report finds that organizations with a low-blame, collaborative approach have stronger app dev security practices. 

For the first time in eight years, the “Accelerate State of DevOps Report” from Google’s DevOps Research and Assessment (DORA) team zooms in on software supply chain security.

It’s further proof of the growing importance of protecting application development environments, which attackers increasingly target to stealthily deliver malware via legit software-release channels.

A key takeaway from the report is quite revealing: Team culture, not technology, is the most important factor at play when it comes to effectively securing the software development lifecycle (SDLC).

“High-trust, low-blame cultures focused on performance were 1.6x more likely to have above average adoption of emerging security practices than low-trust, high-blame cultures focused on power or rules,” reads the report.

This type of team culture promotes cooperation, shared accountability and a willingness to learn from mistakes. It likely encourages DevOps team members to be proactive about security and to feel comfortable about reporting security issues, according to the report.

The study is based on a global poll of more than 1,350 respondents who work primarily in software development or engineering teams; DevOps or site reliability engineering (SRE) teams; and IT operations or infrastructure teams.

Survey questions about security topics were based on the defensive measures of the Supply Chain Levels for Software Artifacts (SLSA) framework and of the National Institute of Standards and Technology’s Secure Software Development Framework (SSDF.)

Here are other key findings from the report:

• A majority of respondents have at least partially adopted every SLSA and SSDF practice mentioned in the report, meaning that supply-chain security practices have been broadly put into practice, but plenty of room for growth remains. 

• Organizations that use public cloud platforms are more likely to incorporate SLSA practices in particular, probably because cloud providers encourage and facilitate SLSA adoption.

• Having a continuous integration and delivery (CI/CD) pipeline for software releases is critical because it offers an integration platform for supply chain security practices, such as vulnerability scanning and code analysis.

• Developers expressed a desire to run scans on their workstations before sending code to the CI/CD pipeline, so they can assess the security of their software components – especially open source ones – earlier.

• DevOps teams can do better at reducing friction between security and development processes, as 56% of respondents said that security practices slow down their application development process.

• Benefits of adopting supply-chain security processes extend beyond security risk reduction, and include having DevOps pros who suffer from less burnout and are more likely to recommend their team as a great place to work.

Some of respondents’ most widely adopted SDLC security practices were: 

• Having a centralized CI/CD system
• Monitoring public information regarding software vulnerabilities
• Preserving code history
• Analyzing and testing code continuously for vulnerabilities
• Reviewing security requirements regularly
• Defining builds exclusively through scripts
• Keeping builds isolated from each other
• Storing build definitions and configurations in text files in a version control system

Learn more

• Read a report summary or the full report
• Listen to a podcast interview with two of the authors
• Read coverage and analysis from ZDnet, Dark Reading, Silicon Angle, Cybersecurity Dive, DevClass and ITPro Today