The State of DevOps report has become a fixture among software professionals, something like The Seven Habits of Highly Effective People but remixed with modern data analysis and aimed at software teams creating and operating modern software miracles. When the report team invited a Chainguard team member to join as a co-author on the security section, there was only one correct response: how do we get started?
This post draws on data and analysis from the over 1000 individuals surveyed for the recently published 2022 State of DevOps Report by Google Cloud and DORA and describes the report’s four top software supply chain security findings.
- Adoption of software supply chain security practices has already begun. The report provides ample evidence that the practices associated with SLSA and NIST’s SSDF are already seeing adoption, though there’s still much room for improvement.
- Teams with high-trust, “blameless” cultures are more likely to have better established software supply chain security practices. Culture matters for software supply chain security.
- Teams that use continuous integration and continuous deployment are more likely to adopt many of the technical practices associated with software supply chain security. CI/CD is a crucial enabling technology.
- Adopting software supply chain security practices not only reduces security risk but provide intangible benefits such as reduced burnout. It’s possible to improve both an organization’s security posture and employees’ well-being by adopting frameworks such as SLSA.
In short, software supply chain security is not simply a fever dream of software vendors or security cranks. Some software teams are already adopting these practices, and this adoption can be accelerated by embracing particular cultural and technological practices. The remainder of this blog post further explains each finding.
Adoption of software supply chain security practices has already begun.
Two frameworks for software supply chain security have especially gained steam in recent years. The Supply-chain Levels for Software Artifacts (SLSA, pronounced salsa) framework focuses on end-to-end software integrity, reducing the likelihood that an attacker successfully tampers with the software build or distribution process, while the National Institute for Standards and Technology’s (NIST) Secure Software Development Framework (SSDF) focuses on a broad set of secure software development practices. The DORA survey specifically measured the extent to which software teams embrace the software supply chain security practices associated with both frameworks. While the results are rich and varied (see the detailed data here), in aggregate there is a clear trend: many of the practices already have widespread adoption, with a majority of respondents reporting that such practices are firmly established within their organization.
In other words, software supply chain security practices are not just an item on the first quarter 2023 TODO list. These practices are happening now. The hard work to be done involves removing barriers to wider and more consistent adoption.
Teams with high-trust, “blameless” cultures are more likely to have better established software supply chain security practices.
This finding is consistent with DORA’s past research on the importance of “generative” organizational culture for high-performance software delivery. Based on the ideas of Ron Westrum, a sociologist noted for his work on culture and safety in high-stakes technological domains, generative organizational cultures emphasize cooperating, sharing risks, using failure to improve (rather than scapegoat), and exploring novelty. What’s striking is that the analysis in the report finds that these organization attributes are linked to having more established software supply chain security practices, which suggests a cultural basis for good software supply chain security hygiene.
Trust falls might not directly improve software supply chain security, but a trusting, cooperative mentality might indeed be more important than the go-buy-xyz-widget or adopt-this-boring-security-control mentalities that sometimes seem to hog all the security oxygen. Similar to the “given enough eyeballs, all bugs are shallow" adage, it logically follows that a team on which everyone feels empowered to share security-related concerns–rather than assuming that it’s someone else’s responsibility–would see improved security outcomes.
Teams that use continuous integration and continuous deployment are more likely to adopt many of the technical practices associated with software supply chain security.
CI/CD appears to be a crucial enabler for software supply chain security. The ease and consistency that a centralized CI/CD introduces means that software teams can ensure all code meets the same security requirements, reducing cognitive complexity and the burden of manual steps. In short, having CI/CD firmly established, according to the report’s analysis, also means that it’s more likely that teams implement a wide range of other software supply chain security practices.
Adopting software supply chain security practices not only reduce security risk but provide intangible benefits such as reduced burnout.
The survey data provides reassuring evidence that teams with more established software supply chain security practices also report a lower chance of security breaches, service outages, and performance degradation. In other words, software supply chain security practices have, unsurprisingly, security benefits but also, perhaps surprisingly, performance and reliability benefits. Also interesting is that the survey analysis found that teams with more established security practices reported less burnout and a higher willingness to recommend their organization as a great place to work. Many of these advantages, however, either required or were amplified by the presence of CI/CD–not only was this infrastructure a critical enabler, it was also frequently a force multiplier.
The Habits of Software Teams with Highly Secure Software Supply Chains
To sum it up: software teams are already adopting software supply chain security practices. Adopting a “generative” organizational culture and instituting centralized CI/CD helps. And the benefits of software supply chain security practices extend beyond security to reliability and reduced staff burnout.
So who wants a little software supply chain security? We sure do.
John Speed Meyers is a security data scientist at Chainguard. Todd Kulesza is a user experience researcher at Google.