Thriving ina insecure worl © GitLabWhat's inside? erty ry rea ry ae en eerie See Say Deo Sees Crea) See eee cay Pera 4 Coe eee) Cee a pen eer os Security 19 Pees Seca Roles are changing Shifting lott eed Alook at testing Looking tothe future eee Prey Cee Ce Sea Se eee Looking tothe future Cee ee catty eyIntroduction eee ee cee eS Se eet oe nee an ed 5,001 people offered us a snapshot of “their DevOps,” and this Se ec en ces eos Rey focused on what could be accomplished: from deployment eee ener De eeu Uy fy aroesaeenners aaa WG cosines Dee eee er ees} platform or plan to this year, ty double Cee ee eee eee es Jobs, ops is cloud or platform-engineering focused, and security ere ee oa cut rah ; et Re ee QO Yberaprcac pene We also heard about the challenges, including pandemic-based Se ee ene See Oe ene ee ere ered But f there was one overarching concern, it was the very real threat security breaches represent. While security continues to “shift left we eee ec eee a ec ae platform or other technologies. The threat of security breaches is BS ae eg ee ey Participants use our products, Also, roughly 60% of respondents eee ee Ce eae eee(o-TaV (NG Py rare eA AC AG LT SOUR ete etary eee cee nee Tet eee ‘Test automation is (nearly) here RoR acacia es Be ee] Ce eRe ee ne ed Sees Se Ce een a ene eee ee era! eo) See FO SE DEH AICS a ee) ed ete core RCM 13}: ) (aaaadvesiansstecnine eecengens Fea ee rn tere Soe See oa eee) Cee ensThe starting point In May 2022, 5,001 respondents completed our survey. Here's a closer look at who they are Gender Age 56% wee 36% 35-44 7% 45-54 2% ss 20% Female 72% Male 1% Non-binarytnird gender 1% Prefer nt to say O% Peoferto set describe Industry ask Computer Haroware/ Services / Sottore Sees = ™ stometne * trast! manufacturing Do * Teleconmunestons i 4% fatal * Businoss Series / Consuting a Energy &.uites 2% Media & Entertainment * Esueation Banking j Financial Services Blotechiprarm Consumer products mtg Hearncace Government Aerospace & defense Omer 3% 2% 2% 2% 2% 2% * %Role 1% Softere Developer / Software Enaner o% elaby Enginer w Coen eee « FE ay execute 010 /crOWe oe eer B * cerned “ Der0ps Engineer » * Network secur spect » “~ Seeutyengneer “* Security leadership D % Product Manager a Systems Administrator a Software Areitect * Developmentngineering Leadership * DevOps Leadership D 2% Systems Engineer / Network Engineer , % Release Manager , 2x ‘pp security engineer , 2% Quay Assurance , * Database engineer , % Technical writin charge of documentation % Site avatabity engineer , * Othe Decision maker status — se Primary decision maker 37% [Notte primary cision maker but onthe team that makes the decisions am Prove decision making input , * Not decison makersRegion omer Eo Inala ‘er x om tg2 ames me? 3 1G = s a 50-38 poopie 100-240 people als } :Software development ea, an 1% Ine But while that’s substantial progress in DevOps usage, i's clea Fespondents, who could “choose al that apaly” when it came to software methodologies, ae stil using a mix match proach at ofthe time, The percentage of teams usi frfall was up an astonishing 16% t Dae eu Cuca Beers renee ord a ea oy 4 fe cy {A full 40% of respondents told us their DevOps practices are between three Ste eee a en ces Seen ener eae Ce eee ee ee eae ee ee erent ie Ei tre ees Cee en eer oe a acme‘What do today’s DevOps implementations look like? A DevOps platform was the most ikely to be part of the process (44%), followed by DevSecOps (42%), CV CCD and test automation at 24%, and observability/monitoring t 30%. Last yea, 1.5% of survey takers used Al/ML; tis year the percentage more than doubled 10.24%, For the third year in a row, respondents said devs are the most likly to benefit from a DevOps practice (64%), followed by ops (63%), and security (53%) The top three reasons to choose DevOps? Better code quality, developer productivity and operational efficiency were called out by 37% of survey takers, followed very closely by better securty/more secure applications. Other clear benefits from a DevOps practice included increased time to market, better /DevOps team members. communication/collaboration, and happier developers ‘an impressive 70% of survey respondents sald their teams deploy multiple times a day, once a day, or once every few days, up 11% from 202, Al told 27% deploy continuously (multiple times a day), while 14% deploy once a day, and 29% deploy every few days. Ce eg Pe Peano a eee Oe ete ee aThe root causes of release delays From 2019 through 2021, our survey ndents jstently pointed tng as the most likely reason for software rel ays. Tests stl but now i one 8 for release dela security analyss, test data manageme and sting. A few trends may help explain this cha Se ey Ser eared ee eee Tico Oe ecco Ce cate ey eet Ce ee eg ts et aad Da Can oa cera} ‘Security is increasingly critical for perenne ence this survey) Cee eee cornea Cree come Cee eet anaArise in test automation ‘This year saw dramatic improvement in test automation: 47% of teams report thelr testing is fully automated today, up {rom 25% last year. Another 21% plan to ral out test automation at some point this year, and 15% nape to do so in the next two or more years ‘And, there's just more testing happening all around: 53% of survey takers said testing Is happening as code Is being written (up 21 points from last year). & {ull 59% of devs test their own code, up 34% from 2021, and SO% sald test and dev work as a team to test code in real time asi's belng written The increasing role of Al/ML Continuing a vend we saw last year, AML may be the test teams set weapon, Today, 37% of teams use AML in software testing (up from 25%), and a further 20% plan to introduce it this yoar. Another 19% plan to roll out AU/ML- powered testing in the next two to three years, Mer ee ue Ree een cae Teg eee ay. Fully 62% of survey takers are practicing ea Cea a) 40% of teams said they use "b Ce ea se ee Ee mga eae a Tawa eon CemOf toolchains and popular tools bout 4a% between date their 3 be more? A full 37% said spending time on to ‘maintenance takes away from time that nt on compliance, while ifficut to have {and aifficuty in retaining Dee aC eed ane) ee Cer eau eats ey RO eC eee Cee au ene et Loca Re eae re Sonor ee en enc) Dee ee) Reo ee ge Ce RC 29%, Azure DevOps at 28%, and BltBucket at 20% ae Done ce Se eee ee as ere eee ae ceed rnetes is in u teams right now, and another 25% plan to rollit out at some point this year. Another 20% of teams said they plan to implement Kas in the next two to three years. 0 7 ee ea Ce eee oe eee ee) eee eee et ee eee peraHas your organization adopted een Sener it Pee ee eee ny nee eae er) We have no plans to use it 4 Eee ea Pen ters The role of the DevOps platform Three-quarters of respondents told us their teams use a evOps platform or plan to use one this year. Another 21% said they are considering a DevOps platform in the next two to three years. What advantages does a DevOps platform offer? The top choice was improved security, followed closely by cost {and time savings, improved DevOps, and easier automation, Other benefits Included improved monitoring, observabilty, ‘and metrics Although a majority of dev, sec, and ops respondents agreed that better security isthe key advantage with a DevOps platform, each group saw other "specifc-to-ther-roles" perks. Devs said a DevOps platform gave them cost and time savings ‘and a more streamlined DevOps practice. Ops told us they liked the cost and time savings too, but also appreciated better ‘monitaring and metrics as well as easier compliance. And see pros called out easier automation and more streamlined deployments. ‘The group most likely to use @ DevOps platform fs devs, but 28% sald the entire DevOps team uses thelr patfotm, while operations. Other roles taking ‘advantage of a DevOps platform included product manager, esi and SREs, 37% said security and 36% ners, the business sideDevelopers Development top findings Releases are faster [And devs say the number one reason is a DevOps platform. The challenges are real Developers acknowledge that Covid-18, hiring, socurlty threats, culture changes, and complex tech learning curves added more real-world ditficulties to thelr roles than ever befor. More, more, more Code review, automated testing, and planning are the top three areas devs would lke to spend more time on, Allin a day's work Dovs continue to take on more ops and sec responsibilities. For the future Devs think advanced programming languages and soft skils will be key to their future careers.Is easy to think software developers are insulated from re World fluctuations afterall, every company isa software company today and demand for DevOps talent seems insatiable. But in 2022, it's clear realty has crept in, Wie asked developers to tellus the most challenging parts of their role, and their answers were far less likely to be about learning a ‘new programming language than dealing with big pictur trends, Including security/hackers, the economy, Covid-19, an insufficient labor force, and more, There was 8 strong sense of culture change ‘and dread of looming, complicated technologies, with a clear Undercurrent of "we may not be ready for ths. In their own words ¢ ¢ “Security, security, security". offered by more than one ‘ousana responsents “Limited potential for young developers” “To keep it secure ana keep updated “Keaping up with the latest tole and security for optimal performance and privacy” “Trying to bus applications that are secure and stable” “cyber securty atacks are the biggest challenge facing us today" “The biggest challenge i inging euficient caging staff” “Data security, data security, repeat, data security” “Kesping pace with innovation, cultural changes, data privacy” “The biggest challenge isto find people to fil the jobs “We have experienced signficant aifficltyin finding and retaining quaiiogstatt™ “4G, 56, A Metavorse, virtual space—dovelopers have to support alot th “The Covid effect” “Too many software frameworks “QA, undefined quality standards “Technology i rapicly changing” (mentioned very frequenty) Shared thoughts: Supply chain issues (a commen response) Personne tunaver Te ezonomy Covid (hundreds of comments) Al (mentioned frequenty) ‘Two respondents summed it up well: Wis havea development capacity chatlonge a recruting ‘callenge and 8 knowleage-sharing enalenge: For me, thes are the 8 biggest challenges we are facing as software developers 1) Keeping pace withinnovation 5) Cybersecurity 2) Cutural change 61 Aland automation 3) Customer experince 7) Data teracy {4)Data privacy 18} Cross-platform functionalityDevs and DevOps Fear about the future aside, nearly 60% of devs told us they're releasing code faster than before, continuing a release pace trajectory thats done nothing but increase over the past fow years. A full 35% said they/re releasing code twice as fast, while 15% are releasing code between three and five times faster, and 8% said the code is fying out the door more than five times, faster. To find out why code is being released more quickly we asked developers what's changed in thelr process. A maerity said Use of a DevOps platform was the number one reason for the increased pace of code release, fllowad by automated testing, source code management, planning tools, and abservabilty What do devs wish they could do more of? Their answers directly addressed those areas most ikaly to cause delays: ‘mote and better code review, automated testing, and better planning (all at 31%). Coming in as a strong second was Al) IML for code writing and review (27%) followed by code reuse (26%), These responses don't represent any significant \evition from what developers said last year, perhaps Underscoring now elffcult itis to make systemic process and technology changes. ‘The growing adoption of DevOps has also meant teams are broadening their technical reach. What did DevOps teams add ‘to thar tech stack in 2022? Automated testing, source code management (SCM, and continuous delivery were the most popular additions; in 2021, SCM was the most added process, and automated testing was fourth. But teams didn’ just ada in old favorites tke SCM and CD: cutting-edge technologies, Including observabiity, Al, and ModelOps a'so made the ist.‘All that automation has translated into @ huge list of things devs tld us they no longer have to do, Inclucing Dees cag TA Senet eee ea eee te eetDevelopers and security This year, 83% of developers told us they are “uly responsible" for security in their organizations, a 14% increase over 2021, and perhaps yet another sign of security sifting left. Another 39% said thoy fee! responsible for security but as part of a larger team, while 7% said they do their part but others on the team ‘were more responsible. Developers continue to be very upbeat about ther team's security posture: 87% said thor organizations make it possible for them to avoid breaches, a substantial increase from 75% in 2021 Looking to the future ‘what will matter most fora developers future career seams to change every yar. In 2021, devs said AVML would be most important, while in 2020 it was soft skills ke communication and collaboration. This year devs ware spilt between soft skills and advanced programming languages, followed by subject matter ‘expertise, AVML was atthe bottom of te list. But, by a single percentage point, devs were the most optimistic about the future ‘of thelr careers, despite ongoing changes and shifts. Just over three-quarters (76%) said they fee!“somewhat” or “very” prepared forthe future; in fact, 43% of devs said they feel very prepared, strikingly higher percentages than either ops (2750 or security (20%)Security Security top findings Dee ee Le eee ase ree eos ee een « < See Dee eee Cy Pare) Comte) Caan eee ee ee Oey eer Ree Cee Seg a eee Is not suprising 43% of sec pros feel “somewhat” or “very” ee eas iS)Eee Brot C0) 09 ee eee en gy De nee ee eee are ees Pree ee eT) eet ee cee ety PCE een) Ree eet eee ee? Reon ee functional team (identical to 2021's findings), while 28% are now more focused on compliance and 38% are more involved in dally tasks/more hands-on, an T1-point jump from last year. About 48% of survey takers Said their roles See ee ee) eee ins Shifting left shift lft unl atleast two years from no Scanning has certainly increased: Today 53 run static application security testing (SAS ‘dramatic jump employ dys scans (up 11 points from last pros report their devs scan from 2 le 86% take advar seans, and 61% do icanse compliance cl But all that scanning hasn't trans! data in thelr workflows, which is an o er the past few years nf nners in a web IDE, and 0 3b pipeline ST and dependent do the same for Sean availabilty ha 1 about 10% on ave but tnere clearAnd, while it may be a bit simplistic to suggest sec and dev really don't get along, year after year the data continues to support that they atleast don't always sae eye to eye. For the third yearn arom, entage of sec pros (47%) sald devs find 24% or le the avaliable bugs that could be found in existing code..to put itanother way, 75% of the bugs were left for sec to find. Less than rity team members said devs found between half ang quarters of the bugs. A full §7% of survey takers agreed performance metric for developers in thair organization but 86% sald it was dificult to code vulnerabilities In the end st kely 0 be found by t environment. These security team after the code is mer. aren't new opinions—we've heard them since 2020, but this year the percentage of security pros “complaining” was down dramatically rom last year’s 80% view, perhaps a sign of impr Who's in Charge? While dev and ops are taking on a largor share of security ‘ownership, i's not so straightforward on the sec team, In 2020 ‘and 202, the parcentag y aid they wa Fully responsible for security was roughly the same as those who said everyone le. This year the picture has changed csramatically 43% 0 members admitted to full ownership curity (a 12% jump from last year) but a resounding majority 6) said everyone was responsible, a 25% nerease from 2021 Be Se EC for application security in your ene urd cy eee ee ee rf x i] % SdIN eee) ‘Security testing Is, not surprisingly, a continuing bump in the road ee rn eee SE ee ead several years security team members have complained the most about test timing (i's always too late in the process). But this year, Re en oe eke ee Ce cg eS Seog ee ey ee ene ed ese ee een ata eee Ce neu} ee ar) ee ee! Microservices and containers continue to gain traction in DevOps Se ee ey Cee ences een nee eee rey Cee ees fee eee na eee ees Cee Rr RRS eS De een ce ccaraers, a majority of security pros (54%) sald AML, followed by communication and collaboration (33%), and advanced programming (32%). Since our 2020 survey, security pros have ee nee rea CIA Ne eee Eo Cee ce colleagues do about the future: Just 56% said they feel ‘somewhat” Cee een ey ‘average dev and ops response), while 43% feel “somewhat” or osOperations Operations top findings Al. The. Hats. From DevOps coach to platform engineer and cloud ‘administrator, operations includes more roles than ever. ‘Too much is really too much ‘Ops is suffering from data overload with over one-third saying it's \~ difficult to find and access needed information. ee \ ‘Automation gets real ‘Almost one-quarter of ops teams report full automation, while {44% are "mostly" automated, both big jumps from 2021 Moving forward ) Ops pros continue to think programming and soft skis will be the ‘most important skills they can have.Operations {At the nexus of every single change that happens in DevOps, ‘operations pros need to be prepared for anything, particularly shifting roles and responsibilities. We asked them to describe their primary job responsiblties in 2022. (sax | [32% ‘are managing hardware infrastructure all or most of the time infrastructure “sometimes” ‘services all or most services of the time “sometimes” ‘And that's ust the beginning. When asked what Devops has added to ops roles that cidn't exist before, options ‘were nearly evenly divided among the seven choices, Managing the cloud was the top response, but managing hardwarefinfrastructure, maintaining the toolchain, DevOps ‘coaching, responsibilty for automation, overseeing all ‘compliance, and platform engineering were almost equally mentioned Of allot those newer tasks, managing auait and compliance requirements is becoming increasingly citical. The majority ‘of respondents said they spend between one-quarter and half their time on audit and compliance, a15% increase ‘rom 2021, Almost one-quarter of ops pros said they spend between haf and three-quarters of thelr time dealing with ‘audit and compliance.Still so many tools ‘And of course there are always ots of tools for ops to manage. Roughly 49% of (ps pros said thelr teams use between {wo and five monitoring tools (unchanged from 2021) and one-third use between six and 10. Al tol, 63% of ops teams use a DevOps platform to feed real-time data back to developers (2 23% increase from last year) Metries is the most important monitoring category followed by logging The top choice for capturing and viewing logs is Datadog (47%, followed by LogDNA (43%, and Splunk (41%). Datadog was ‘also the frst choice for tracking traces, followed by AppDynamics and Dynatrace. ‘And Datadog was also the tool of choice for capturing time-series metrics, followed by Solar Winds. ‘A majority of ops teams (58%) use Google Cloud Platform, up 38% from 2021, followed by Azure and AWS, Just 4% of respondents currently don't use a cloud provider or don't know which one Its, ‘down ® points from last year, Working with development ‘Aull 68% of ops teams told us ther software development itecycle was elther ‘completely or mostly automated, a 13% increase from 2021, And 20% said it was. somewhat automated. To look at it another way, 24% of teams told us they were fully automated—that’s up from 19% last year and just 8% in 2020, meaning ‘dramatic progress in just a few short years, (Ops continues to value visibility into what devs are doing, with 86% of ops pros reporting it was moderately, very, or extremely important to them to have visibility into development, up 15 points over 2021 But that vsibiity brings information and it's increasingly clear opsis struggling ‘with true information overload: 39% of ops respondents said the DevOps data they need exists but accessing and managing its dificult, while 27% went further and ‘acknowledged being “overwhelmed” by the amount and scope of data avaiable. Another 14% elther don't know what data is avallable or say ther organization doesr't track what they need. Just 18% report they have all the data they need and find it easy to access. Ina continuing sign of shifting roles, nearly 77% of ops pros said thelr devs are able to provision testing environments, which is an 8% increase from last year. And there is more actual DevSecOps happening: Just over 76% of ops teams agroe at some level that devs are able to receive and address security issues during the development process (thats @ 10% jump from last year. ‘There's no question that ops pros are experiencing an increasing sense of urgency ‘and ownership around security. An impressive 48% of operations team members sald they were solely responsible (up from 28% last year), while 40% belleve they are responsible but as part of a bigger team, a 6% increase since 2021err ROR Ue te re ror Een Consistent in what they believe wil be most important in Seen Peete cas year (46% for each ents Ree ee ee ee SC ea Ceca Rea) ms‘one oevops Keeping the DevOps momentum With al the changes—in the world, the technology, and in DevOps roles-—dee, sec, and ops ros are unanimous in their desire to Keep themselves and their careers moving forward. (One obvious example: 81% of survay takers sald certifications wore either somewhat or very Important to their future careers. ‘More globally, dev, sec, and ops agreed that their top ares of investment in 2022 would be security. A close second priority wll be cloud computing (21%), folowed by DevOps, Al, and blockzhain (al 20%). Combine Al with its technology cousin machine learningiMLOps and that was the clear invastment winner at 20%. Priorities varied depending on where in the DevOps team respondents were. Ops pros plan to double down on cloud computing (24%), followed by security at 23% and Devops (21%). Interestingly a full 24% of devs want to put their focus on DevOps this year, followed by Al (22%), and cloud computing and a DevOps platform (21% each). The security team is primary interested in blockchaln (36%) followed by security (25%) and cloud eamputing and AA (both 17% Management's top areas of investment were blockchain (23%), security (22%), and cloud ‘computing (21%). Today's teams are clearly doing the planning, thinking, and work to move DevOps and software development forward, avon during stressful world events. Uso this survey and ‘see how your team compares, and then share with colleagues also on the DevOps journey. DevOps isnt @ destination, i's a process, @GitLab© GitLab