Sonatype Finds Mature DevSecOps Practices Lead to Happier Developers, More Secure Code


Annual Survey Finds Happy Coders 3.6X More Likely to Build Secure Applications

Fulton, MD – April 7, 2020 -- Sonatype, the company that scales DevOps through open source governance and software supply chain automation, today published findings from its seventh annual DevSecOps Community Survey, based on responses from 5,045 software engineering professionals.  The survey, developed and conducted in partnership with Carnegie Mellon’s Software Engineering Institute, CloudBees, DevOps Institute,, DevSecOps Days, NowSecure, Security Boulevard, Verica, and All Day DevOps, pulls back the curtain on successful DevSecOps practices, significant influences on developer satisfaction, trends in secure coding, and application breaches. 

The survey reveals that development velocity is accelerating with 55% of respondents deploying code to production at least once per week, compared to 47% of respondents in 2019. Findings also show how engineering teams supported by mature DevOps practices are more likely to integrate automated security tooling into their development lifecycle. The most popular automated security investments are web application firewalls (59%), open source governance (44%), and intrusion detection (42%).

Mature DevOps teams also demonstrate 1.6x higher job satisfaction rates compared to their immature peers. Furthermore, mature teams are 2.2x more likely to invest in container security, 2.1x more likely to invest in Dynamic Analysis Security Testing, and 1.9x more likely to invest in Software Composition Analysis.

“DevSecOps transformations are proving critical – not just to improve productivity and application security - but to ensure developer delight,” said Derek Weeks, Vice President at Sonatype. “This year, mature DevOps teams are properly integrating and automating security tools almost 2x more often than less mature teams. We also found developers in mature DevOps teams are 1.6x more likely to recommend their employers in today’s tight job market and 1.3x more likely to get work done.” 

Additional findings from the report include:

  • Mature DevOps teams are more aware of breaches: 28% of mature organizations are aware of an open source component-related breach in the past 12 months, compared to just 19% of respondents with immature DevOps practices. While breaches appear higher for mature DevOps practices, industry advocates point to cultural advantages that reward open communication, welcome new information, and encourage tighter collaboration between developer and security tribes.

  • Happy developers pay more attention to security: Happy developers are 3.6x less likely to neglect security when it comes to code quality, and 1.3x more likely to follow open source policies. They are also 2.3x more likely to have automated security tools in place. Developers working within mature DevOps practices are 1.5x more likely to enjoy their work, and 1.6x more likely to recommend their employer to prospects.

  • Tooling and training show strong correlation with DevOps delight: Happier developers are 1.3x more likely to be informed of security issues from their integrated tooling compared to their grumpier counterparts. But improved tooling and close collaboration with security teams also paid off for happier developers, as they are 3.8x less likely to rely on rumors when it comes to security notifications. Developers who receive training on how to code securely are also 5x more likely to enjoy their work.

The full report with these findings and others is available here.

Supporting Quotes

“We know, as a collective team, how to produce the highest quality of software by following a DevOps methodology. The methodology helps us enforce security checks at each phase in a SDLC. As the survey points out, mature DevOps practices are 3.6x more likely to consider security as a top concern and 2x more likely to have automated governance and compliance. Mature DevOps practices are constantly testing, deploying, and validating that software meets every requirement and allows for fast recovery in the event of a problem. As a result, we can easily say, ‘DevSecOps is DevOps done right.’”

— Hasan Yasar, Technical Director and Adjunct Faculty Member
Software Engineering Institute | Carnegie Mellon University

“We’ve always known that DevSecOps is about culture. The 2020 DevSecOps Community Survey, for the first time, reveals clear and convincing empirical evidence that developers are happier and more productive when security is part of the digital transformation and DevOps journey.”

— James Wickett, Head of Research,
DevOps and DevSecOps Instructor, LinkedIn Learning

“We believe that the community derived data on emerging patterns shown within the 2020 DevSecOps Community Survey can help both individuals and organizations adapt to the rapidly changing dynamics of the modern security landscape. We cannot achieve higher levels of DevOps maturity until we understand how tightly woven people are into the transformation process.  More than anything, DevSecOps success is tied to human effort.”

— Jayne Groll, CEO, DevOps Institute

“The 2020 DevSecOps community survey highlights an important fact which is often overlooked: culture matters. The results show us that shared ownership becomes even more important as organizations shift from DevOps practices to security-focused DevSecOps practices. Accordingly, happy developers address security upstream through tooling and coordination with peers, whereas grumpy developers engage late, learning about issues from management or customers. The takeaway? Spend time fostering an effective culture.”

— Brian Dawson, DevOps Evangelist, CloudBees

About the DevSecOps Community Survey

The 2020 DevSecOps Community Survey is based on responses from 5,045 software professionals across the globe and provides visibility into the attitudes of software professionals toward DevOps best practices and the changing role of application security. The results reported here came in response to 34 questions asked by Sonatype and our DevOps community advocates including All Day DevOps, Carnegie Mellon’s Software Engineering Institute, CloudBees,, DevOps Institute, DevSecOps Days, NowSecure, Security Boulevard and Verica. The survey’s margin of error is ± 1.226 percentage points at the 95% confidence level.

About Sonatype

Sonatype is the leader in software supply chain automation technology with more than 350 employees, over 1,000 enterprise customers, and is trusted by more than 10 million software developers. Sonatype’s Nexus platform enables DevOps teams and developers to automatically integrate security at every stage of the modern development pipeline by combining in-depth component intelligence with real-time remediation guidance. For more information, please visit, or connect with us on Facebook, Twitter, or LinkedIn.

Media Contact

Mission North for Sonatype