Sonatype Finds Tech Companies Are Peak DevSecOps Performers


Happy Developers Automate Security Twice as Often as their Unhappy Peers, Showing Link between Security Best Practices and Work Culture

Fulton, MD – June 4, 2020Sonatype, the company that scales DevOps through open source governance and software supply chain automation, today published Technology industry-specific findings from its seventh annual DevSecOps Community Survey, which was launched earlier this year. The findings, which delve into successful DevSecOps practices across sectors including technology, show a link between mature DevOps practices, job satisfaction among developers and strong security processes.

Sonatype finds that Tech companies are more likely to have mature DevOps practices compared to other industries, with 59% of companies reporting improving or mature practices — the overall industry average across sectors was just 51%. This, in turn, affects deployment practices too: nearly 60% of developers in the tech sector deploy code changes at least once a week — 1.1X more likely than the average developer — showing that mature practices have a direct impact on agility and productivity.

Considering that 25% of tech companies surveyed suspect or have verified a breach tied to their software development practices within the last year, it’s clear that the stakes are high when it comes to securing code. Surprisingly, workflows and culture can play a big role in helping to get ahead of breaches. Happy tech developers (69%) are more likely to perform security analysis of their code compared with grumpy developers (19%) in Tech. Additionally, happy tech developers are 1.7X more likely to pay attention to security than their grumpy counterparts. They also have a better understanding of how critical it is to get security right: happy tech developers are 1.9X more likely to consider AppSec a top concern as compared to their less satisfied peers. 

But mature DevOps practices are essential to uphold not only because they impact security standards, but because they also play a big role in shaping employer brands in a sector that has historically been a tight job market. Happy tech developers report having increased access to application security training, with self-paced e-learning remaining accessible to 66% of the group –  a sharp contrast against the 48% of unhappy tech developers who reported receiving no training at all. Additionally, happy developers were 1.2X more likely to recommend their employer to their peers than their grumpier counterparts, making organizational reputation a key consideration in technology practices.

“The tech sector has always been a shining case study in how to get developer culture right, covering everything from tools and technologies to remote work,” said Derek Weeks, Vice President at Sonatype. “Following their example has become especially important in our new, remote-first paradigm: the automated and secure workflows mastered by tech developers are a lesson to developers everywhere as they re-shape their day-to-day practices against an evolving work landscape.”

The full report with these findings and others is available here.

About the DevSecOps Community Survey

The 2020 DevSecOps Community Survey is based on responses from 5,045 software professionals across the globe and provides visibility into the attitudes of software professionals toward DevOps best practices and the changing role of application security. The results reported here came in response to 34 questions asked by Sonatype and our DevOps community advocates including All Day DevOps, Carnegie Mellon’s Software Engineering Institute, CloudBees,, DevOps Institute, DevSecOps Days, NowSecure, Security Boulevard and Verica. The survey’s margin of error is ± 1.226 percentage points at the 95% confidence level.

About Sonatype

Sonatype is the leader in software supply chain automation technology with more than 350 employees, over 1,000 enterprise customers, and is trusted by more than 10 million software developers. Sonatype’s Nexus platform enables DevOps teams and developers to automatically integrate security at every stage of the modern development pipeline by combining in-depth component intelligence with real-time remediation guidance. For more information, please visit, or connect with us on Facebook, Twitter, or LinkedIn.

Media Contact

Mission North for Sonatype