Survey: Happy Developers Produce More Secure Software
It’s no surprise that happy developers are more engaged at work and as a result produce better business outcomes. But do happy developers produce more secure software? According to our 2020 DevSecOps Community Survey the answer is a resounding YES. The cause isn’t an unlimited amount of Red Bull, either!
We surveyed 5,045 developers from 120 countries to examine emerging trends in DevSecOps. We also wanted to learn what practices influenced developer delight. We discovered that developers working on teams with mature DevSecOps practices were the happiest. These developers are nearly twice as likely to:
- Say they like their job (1.5x more likely)
- Get work done (1.3x more likely)
- Encourage friends to come work with them (1.6x more likely)
So what is a mature DevSecOps practice? According to a podcast interview The New Stack did with Derek Weeks, Vice President of Sonatype, the survey participants were asked to assess their organization’s level of DevOps maturity on a scale. This information was correlated to other data points, like what tools they used.
“Out of the people who said they’re mature,” commented Weeks, “what tools are they using? And of the people that say they’re immature, what tools are they using? What training are they getting, etc. And we see vast differences in these two populations.”
How then do these traits influence practices that produce more secure software? There are at least four correlations that make them superior compared to their less happy counterparts.
Happy Developers Like (or Love) Their Job
Employee satisfaction has short and long-term implications. In the short-term, satisfied employees tend to have more intrinsic motivation to do their jobs well. Long term, employee satisfaction stabilizes team turnover. Job satisfaction also increases the interpersonal familiarity and trust required for successful collaboration.
As social scientist Arnold Bakker reports in An Evidence Based Model for Work Engagement:
“Engaged workers are more open to new information, more productive, and more willing to go the extra mile. Moreover, engaged workers proactively change their work environment in order to stay engaged.”
It’s no surprise then that happy developers thrive in a proactive culture, the foundation of DevSecOps teams.
Our survey supports this research. Job satisfaction amongst developers is highest in mature DevOps practices. Over 92% developers in mature DevOps organizations showed high levels of job satisfaction. Compare this to 61% of their industry peers in immature DevOps practices who described their job satisfaction in positive terms.
Sonatype’s Weeks also commented that there is a big disparity between how “grumpy” developers complain about management, versus their happier counterparts.
About 44% of dissatisfied developers blamed executives and its management for friction in their teams, Weeks said, while only 14% of satisfied developers blamed the execs. “So it was a huge difference in terms of where do you see friction in the organization?” he said.
Happy Developers Are More Productive
The DevSecOps Community Survey also shows a strong correlation between mature DevOps practices and developer productivity. Eighty nine percent (89%) of developers in mature DevOps practices say they are more likely to get their work done. By contrast, 69% of developers working in immature DevOps practices felt they could complete their assignments. Would you rather have seven of 10 or nine of 10 developers who feel like they can complete the work assigned to them? I’ll take that nine any day, especially if we’re implementing new security controls or trying to remediate a vulnerability before an adversary finds it.
For developers, finding time to spend on security is not a new issue. For three years running, 47% of developers taking our community survey say they believe security is important, but struggle to find more time to spend on it. Our data shows that teams with mature DevSecOps practices are doing more, and doing it more effectively, every day. That’s because mature DevOps practices are more likely to implement automated tooling to help developers understand security risks.
Happy Developers Enrich Talent Acquisition and Retention
Talented developers tend to know similarly talented peers, often across disciplines. This presents two strong advantages for a business: talent acquisition and innovation. Both have security implications.
First, happy developers show a strong desire to recruit others into their organizations. When asked if they would recommend their companies as a good place for others to work, 86% in mature DevOps practices gave their employers a thumbs up. Only 53% in immature practices do (a 1.6x difference). In competitive markets, a staff full of happy employees makes it easier to show up to work each day, and makes the effort of recruiting new employees easier.
This matters. It “takes 8-12 weeks to replace a knowledge worker, and then another month or two before the replacement gets to full productivity mode,” said Stephen King, the president and CEO of GrowthForce, in Forbes. An employee bringing in $100,000 in revenue who departs costs a company at least $25,000 in lost revenue, to say nothing about the disruption. This means there is definitely a cost-benefit to having happy developers on staff.
According to Weeks, having happy DevOps developers is a great way to attract even more talent.
“The people that are doing DevOps right,” he said, “have people clamoring to be part of their organization.”
Secondly, by leveraging the social circles of happy developers, businesses with mature practices attract an influx of new ideas and perspectives. This is necessary for product innovation, but also security innovation. Security-minded individuals establish security-minded teams.
Happy Developers Recognize Security Breaches Faster
Happy developers — working in more mature DevOps practices — are more likely to identify security breaches, too. We looked at breach confirmations between the mature and immature DevOps groups in the 2020 DevSecOps Community Survey and saw that 23% of mature DevOps practices had confirmed or suspected a breach tied to their use of known vulnerable open source components. By comparison, only 19% of immature DevOps practices recognize a security breach. In some of the most mature DevOps practices, the breach confirmation rates bumped up to 28% of organizations.
A similar pattern emerged in our 2019 DevSecOps Community Survey, where more mature DevOps practices confirmed higher levels of breaches. Why would this be the case? Our conversations with many DevOps leaders pointed to mature cultures that reward communication, collaboration, and new information being shared. Their culture of “no silent failures” (credit to Dan Geer) rewards awareness. In “The Phoenix Project,” Gene Kim wrote that “To tell the truth is an act of love. To withhold the truth is an act of hate. Or worse, apathy.”
Employees who enjoy their work, trust their employers, and have a culture that supports information sharing, are more likely to spread awareness of breaches. In turn, accelerated awareness further expedites remediation.
Our 2020 survey also revealed that happy developers working within mature DevOps teams are 3.8x less likely to rely on rumor mills to find out about security issues. Think of mature DevOps teams as the “actively engaged” developers and the immature teams as the “disengaged.”
The more you pay attention, the more tooling you have in place to support you, the more capable you are of protecting your organization’s applications and the data tied to them.
Happiness Is a Foundational Part of Culture
Happier DevSecOps professionals make it easier to show up to work, get things done, and enable your business to deliver better results. “Building in happiness” is a practice itself. It’s a central part of the cultural transformation that adopting DevSecOps practices requires to be successful. If you’re building a business case for a DevOps transformation, share evidence of the “happy factor.” Happy developers are more productive, build more secure code, and are better for business too.
For those looking for more evidence of happy developers leading to secure coding practices, we invite you to read through the 2020 DevSecOps Community Survey.
Feature image by Istvan Pocsai from Pixabay.