One in Six Developers in Healthcare Industry Report Open Source Software Breaches, Sonatype Finds


Nearly One-Third of Happy Coders Say Security is a Top Concern, Showing Desire for Change in the Industry

Fulton, MD – June 4, 2020 -- Sonatype, the company that scales DevOps through open source governance and software supply chain automation, today published Healthcare industry-specific findings from its seventh annual DevSecOps Community Survey. The survey pulls back the curtain on successful DevSecOps practices and secure coding, and highlights trends in different verticals, including Healthcare.

Within Healthcare organizations, Sonatype found that motivations to implement security controls were largely driven by compliance requirements (50%), but surprisingly, executives were 7.5 times more likely than developers to implement secure development practices as a competitive advantage. When it came to automating governance and compliance to improve security, Mature DevOps teams were two times more likely to properly integrate automated security tools compared to their Immature healthcare industry peers.

One area for improvement for the industry is security, especially against the backdrop of the ongoing pandemic and the cyber attacks on healthcare organizations that have occurred during the crisis. The survey found that developers in more than 1 in 6 organizations reported breaches tied to open source software components used in applications. To limit susceptibility to open source software related breaches, mature DevOps respondents in the survey revealed that they were 1.5 times more likely to keep a complete Software Bill of Materials (SBOM) - a practice that can dramatically reduce a healthcare organization’s window of exploitability that is also recommended by the FDA.

When it comes to making developers happy at work, the data point to two critical factors. Training is important to them — 67% of happy healthcare developers said self-paced e-learning is made available to them, while 75% of grumpy developers in the industry said they don’t get any training. The second factor is team harmony: when asked who causes the most friction on their teams, 29% of happy healthcare developers said “none,” while 50% of grumpy developers said executives. Given this, it’s key that healthcare technology leaders design work cultures in which their developers can thrive, leading to more secure code and applications, and better healthcare delivery overall.

“DevSecOps practices are proving transformational for every industry, but it’s especially critical that we get them right for healthcare, given its pivotal role in our communities,” said Derek Weeks, Vice President at Sonatype. “The Healthcare Proof of Concept report released by NTIA, and encouraged by the likes of the FDA, is a crucial step in making healthcare applications built by developers more secure, but it is up to this industry’s tech leaders to help enact day-to-day change today.” 

The full report with these findings and others is available here.

About the DevSecOps Community Survey

The 2020 DevSecOps Community Survey is based on responses from 5,045 software professionals across the globe and provides visibility into the attitudes of software professionals toward DevOps best practices and the changing role of application security. The results reported here came in response to 34 questions asked by Sonatype and our DevOps community advocates including All Day DevOps, Carnegie Mellon’s Software Engineering Institute, CloudBees,, DevOps Institute, DevSecOps Days, NowSecure, Security Boulevard and Verica. The survey’s margin of error is ± 1.226 percentage points at the 95% confidence level.

About Sonatype

Sonatype is the leader in software supply chain automation technology with more than 350 employees, over 1,000 enterprise customers, and is trusted by more than 10 million software developers. Sonatype’s Nexus platform enables DevOps teams and developers to automatically integrate security at every stage of the modern development pipeline by combining in-depth component intelligence with real-time remediation guidance. For more information, please visit, or connect with us on Facebook, Twitter, or LinkedIn.

Media Contact

Mission North for Sonatype