Sonatype Finds Links Between Leading DevSecOps Practices and Happy Developers Within the Financial Services Industry


Mature Practices are 3.3 Times More Likely to Prioritize Application Security and 1.2 Times More Likely to Enjoy Their Work

Fulton, MD – June 4, 2020Sonatype, the company that scales DevOps through open source governance and software supply chain automation, today published the Financial Services industry findings from its seventh annual DevSecOps Community Survey. The data look at DevOps practices in financial services and reveal connections between organizations’ adoption of DevOps practices, developer happiness and secure development.

Sonatype found that more than half of developers (53%) in Financial Services report having immature DevOps practices, while 34% categorized their practices as improving and only 13% as mature. This compares slightly less favorably to respondents across all industries where 49% mark their DevOps practices immature, 36% as improving and 15% as mature

The survey also found a direct correlation between DevOps maturity and happier, more collaborative developer behavior across sectors. Developers in the Financial Services sectors with mature DevSecOps practices are 1.2 times more likely to enjoy their work. They are also far less likely to name management as a cause of friction on their teams — 13% of happy developers do so vs. 42% of their grumpier colleagues — suggesting that mature practices can improve organizational cultures and team happiness in addition to boosting security outcomes.

One of the biggest differentiators of mature vs. immature DevSecOps practices is the tight integration of security tools into development workflows. As an example, 50% of those with mature practices implement open source software governance and security, compared to 34% of those in immature practices. Furthermore, mature DevOps practices were 1.4 times more likely to keep a full Software Bill of Materials (SBOM), which is now a key requirement in the new PCI secure software development standards.

Overall, Sonatype found that mature DevOps teams properly integrate automated security tools twice as often as immature teams. Additionally, those with mature practices are 3.3 times more likely to consider application security a top concern - a mindset that is paying dividends. For example, the number of reported open source breaches were 21% in 2020, down from 31% in 2018.

“There is a call for improved security practices within software development across the Financial Services industry, as evidenced by the Payment Card Industry (PCI) standards introduced last year,” said Derek Weeks, Vice President at Sonatype. “Our findings support PCI’s recommendations for greater transparency in the software supply chain, improved tracking of open source components, and stronger investments in automated security practices. The payoff for those doing it right is not only fewer breaches but happier developers.” 

The full report with these findings and others is available here.

About the DevSecOps Community Survey

The 2020 DevSecOps Community Survey is based on responses from 5,045 software professionals across the globe and provides visibility into the attitudes of software professionals toward DevOps best practices and the changing role of application security. The results reported here came in response to 34 questions asked by Sonatype and our DevOps community advocates including All Day DevOps, Carnegie Mellon’s Software Engineering Institute, CloudBees,, DevOps Institute, DevSecOps Days, NowSecure, Security Boulevard and Verica. The survey’s margin of error is ± 1.226 percentage points at the 95% confidence level.

About Sonatype

Sonatype is the leader in software supply chain automation technology with more than 350 employees, over 1,000 enterprise customers, and is trusted by more than 10 million software developers. Sonatype’s Nexus platform enables DevOps teams and developers to automatically integrate security at every stage of the modern development pipeline by combining in-depth component intelligence with real-time remediation guidance. For more information, please visit, or connect with us on Facebook, Twitter, or LinkedIn.

Media Contact

Mission North for Sonatype