Sonatype Survey Finds DevSecOps is a Top Priority in Government


Nearly Half of Government Coders with Mature DevOps Practices Say Security is a Top Concern

Fulton, MD – June 4, 2020Sonatype, the company that scales DevOps through open source governance and software supply chain automation, today released government-specific findings from its seventh annual DevSecOps Community Survey. The survey pulls back the curtain on successful DevSecOps practices and secure coding, and highlights trends in different verticals, including government.

Within the public sector, respondents showed the highest rates of DevSecOps adoption (36%) when compared to all other industries. Of respondents with mature DevOps practices, nearly half said application security was a top concern, making them 2.3 times more likely to say so compared to those with immature DevOps practices. Even with their high security consciousness, 22% of public sector developers reported a breach tied to their application development practices within the last 12 months.

While DevSecOps practices are top of mind for developers in Government, the survey found that adoption of practices is less mature than in other industries. Sixty-two percent (62%) rank their practices as Immature, 26% as Improving and 12% Mature, compared to 49%, 36% and 15%, respectively, for respondents overall. One area that demonstrates this lack of maturity is deployment velocity -- only 40% of government developers said they deploy changes to production at least once a week, compared to 55% for respondents overall. 

The survey also dissected security attitudes and practices based on whether respondents reported being happy or dissatisfied and found that both groups prioritize security, among other findings. Happy government coders were found to be 1.7 times more likely to pay attention to security than peers in other industries, and 61% of them reported performing secure code analysis. Meanwhile, 60% of grumpy public sector programmers said they perform security analysis of their code, which is 1.8 times higher than grumpy coders across industries. With even more good news for Government agencies, 93% of programmers working in mature DevOps practices said they were happy in their job — a rate 1.2 times higher than happy developers in other industries. 

Government respondents also indicated relative harmony within their organizations with regard to how they work with other teams. When asked which roles cause the most friction on their team, 23% of the happy programmers said “none,” compared to 14% for respondents overall. Meanwhile, 66% of happy government developers said self-paced e-learning is made available to them, compared to 50% of grumpy developers in the industry.

“One in five government developers have suspected or verified a breach tied to their application development practices in the past 12 months,” said Derek Weeks, Vice President at Sonatype. “Breaches have always been a motivating factor for increasing the security practices and hygiene within any application development team. Our survey results make it clear that DevOps teams in government agencies are striving to enhance their cybersecurity hygiene, adopting a DevSecOps mindset, and investing in more automation to stay ahead of their adversaries.”

The full report with these findings and others is available here.

About the DevSecOps Community Survey

The 2020 DevSecOps Community Survey is based on responses from 5,045 software professionals across the globe and provides visibility into the attitudes of software professionals toward DevOps best practices and the changing role of application security. The results reported here came in response to 34 questions asked by Sonatype and our DevOps community advocates including All Day DevOps, Carnegie Mellon’s Software Engineering Institute, CloudBees,, DevOps Institute, DevSecOps Days, NowSecure, Security Boulevard and Verica. The survey’s margin of error is ± 1.226 percentage points at the 95% confidence level.

About Sonatype

Sonatype is the leader in software supply chain automation technology with more than 350 employees, over 1,000 enterprise customers, and is trusted by more than 10 million software developers. Sonatype’s Nexus platform enables DevOps teams and developers to automatically integrate security at every stage of the modern development pipeline by combining in-depth component intelligence with real-time remediation guidance. For more information, please visit, or connect with us on Facebook, Twitter, or LinkedIn.

Media Contact

Mission North for Sonatype