What has happiness got to do with app security? Happy developers are three times less likely to neglect security when it comes to code quality, says Sonatype’s annual DevSecOps community survey.
Respondents from more than 70 countries were from a range of industries, including: technology (39 percent), banking and financial services (15 percent), consulting services (seven percent), government (six percent), healthcare (five percent) and telecommunications (five percent).
“All participants self-identified their job satisfaction, employer satisfaction and productivity rankings,” said Derek Weeks, VP, Sonatype.
“The survey took many variables, such as the skill of the developer, training offered by the organisation, organisational and legal compliance etc into account. We aggregated findings from all 5,045 participants to reach the conclusions found in our analysis,” Weeks told SC Media UK.
Happy developers working in teams with mature DevSecOps practices produce more secure software, the survey said. The survey relied on the responses of the developers to assess the emotion. However, workplace happiness is indeed tangible, said Dr. John Blythe, head of behavioural science at CybSafe.
“When discussing happiness at work, this almost always equates to increased employee engagement and improved productivity, and vice versa. Happiness seems like an abstract term and emotion, but it can be broken down into tangible components,” the chartered psychologist told SC Media.
The survey determined that happy developers are 3.6 times less likely to neglect security when it comes to code quality, and 1.3 times more likely to follow open source policies. They are also 2.3 times more likely to have automated security tools in place.
Essentially two areas combine to determine an individual's happiness at the workplace: an individual's personal capacity for happiness, which depends on factors such as confidence, resilience, and optimism; and the work environment, which includes autonomy, resources, performance feedback and managerial support. This is an equation that the 2015 Warwick University Happiness and Productivity study explored, noted Dr Blythe.
The survey has also noted the effect of the work environment’s effect on app developers, with the ones working within what Sonatype called “mature DevOps practices” are 1.5 times more likely to enjoy their work, and 1.6 times more likely to recommend their employer to prospects, it said.
“Mature DevOps practices prioritise web application firewalls, open source software governance, and intrusion detection/protection systems. Respondents were asked to rate their level of maturity, from ‘immature’, ‘improving’ or ‘mature,” Weeks told SC Media UK.
When it is broadened to the firm’s level, elements such as trust, fairness, responsibility, and community, will indicate whether an organisation has a mature, or maturing, approach to cyber-security, said Dr. Blythe.
“When companies have a positive cyber-security culture, employees have a greater understanding and awareness of cyber-security in the workplace and a commitment to behave in a secure manner,” he explained.
“In addition, security executives are then empowered to put security first, evoking a security-by-design methodology when developing products rather than being incentivised to speed through production and add security measures as an after-thought. When security is considered from the beginning, be it with policies, products, or people, risk is nearly always decreased.”
Emphasising the organisation’s role in DevSecOps, the survey identified that the largest shortfalls across the respondents were related to training, their application of automated and integrated security practices, and their culture of communication related to breaches, said Weeks.
"Developers do care about security, yet they don’t always have time to spend on it. Mature organisations are using more automated and integrated security to help their developers perform more security tasks without having to dedicate too much time to it," he added.
Better resourced IT and security departments are able to lift themselves out of the usual fire-fighting mode when it comes to security issues, and can flip this process on its head, Dr. Blythe pointed out.
“Funding and support, of course, requires the buy-in of the c-suite, who must understand why security isn't just 'a nice thing to have'. Unfortunately, executives are not receiving ‘adequate’ reports on cyber-security to be able to make informed decisions on spend and resource. With this lack of clarity, the necessary top-down approach to cyber-security culture and resilience cannot be achieved.”