2016 State of DevOps Report Released

2016 State of DevOps Report Released

Puppet and DORA have released their annual report on the State of DevOps for 2016. As with previous reports, the primary objective of the report is to measure the impact of organizations following a DevOps philosophy relative to those who have adopted alternative models. For those of you new to the term “DevOps,” there are a few attributes that characterize the DevOps philosophy.

A Short DevOps Primer

For those of you who are new to DevOps, a short primer is in order. DevOps is a philosophy of IT operations that binds the development of services and their delivery to the core principles of W. Edwards Deming’s points on Quality Management. When applied to software development and IT organizations, Deming’s principles seek to improve the overall quality of software systems as a whole. This is done in part by decomposing the system into manageable components, which can be owned by teams. These teams have the freedom to quickly resolve any issues that might prevent the system from operating properly.

By creating a sense of pride and ownership in the delivered system, any issues discovered can be quickly resolved. This method increases the overall health of the system, which has led to the rise of Continuous Integration (CI) and Continuous Delivery (CD) as defining attributes of DevOps. Continuous delivery is a model where components of a system are updated on an as needed basis, rather than waiting for a traditional “release vehicle.” Continuous integration is a development model where changes made by a developer are integrated into the source code mainline as they are completed. From a testing perspective, a feedback model is used, leading to a concept of a CI/CD “loop.”

2017 Open Source Security and Risk Analysis ReportState of DevOps Report

For the purposes of the State of DevOps report, organizations are divided into groupings of “high performing” and “low performing.” A high performing organization is one that is embracing the tenets of the DevOps philosophy and deploys multiple times per day. By contrast, a low performing organization deploys less frequently than once per month. With that as the back drop, there are some rather interesting conclusions in this year’s report.

  • High performing organizations report that lead time to deploy changes was less than an hour
  • High performing organizations spend 22% less time reworking a solution
  • High performing organizations spend 50% less remediating security issues

Organizational Structure

The report also went on to look at organizational structure, and used the Westrum model as the taxonomy. It also used the Net Promoter Score model to determine overall employee satisfaction with their organization. They then found employees at high performing organizations were 2.2 times more likely to recommend their organization as a great place to work. One key conclusion was that performance oriented organizations experienced less deployment pain than power-oriented or rules-oriented organizations.

This conclusion was applied to the security process used by high performing organizations to determine why they were able to spend 50% less time remediating security issues. By incorporating a philosophy of “quality and security is everyone’s responsibility,” high performing organizations were able to shift the burden of security management to lower pain areas of the delivery process. For example, if a security audit can be performed as part of the continuous integration portion of the delivery cycle, then the impact of a security issue can be minimized. High performing organizations don’t stop there, and include security workflows at all steps of the delivery chain, which in turn results in less rework. This enables them to focus efforts on new work rather than rework.

The Challenge

The report ends with a challenge for all readers – “What would you do with 10% more engineering time?” While the answers to this will vary, I’d like to offer up a tool to help get you there. Black Duck has developed a free security checker you can use to get a view of how vulnerable your Java archive or Docker image might be. The tool is available here: https://info.blackducksoftware.com/Security-Checker.html


Sorry we missed you! We close comments for older posts, but we still want to hear from you. Tweet @black_duck_sw to continue the discussion.


8 Takeaways from NIST’s Application Container Security Guide

| Dec 13, 2017

Companies are leveraging containers on a massive scale to rapidly package and deliver software applications. But because it is difficult for organizations to see the components and dependencies in all their container images, the security risks associated with containerized software delivery has

| MORE >

Should You Replace Apache Struts? Maybe. Or, Maybe Not.

| Sep 14, 2017

It’s one hell of a year for Apache Struts. With the latest round of security disclosures comingled with the Equifax data breach, it's reasonable for users of Struts to start questioning if they should be migrating to another framework. After all, there have been five possible remote code execution

| MORE >

RSA Singapore Review - The Perils of Security Hubris

| Aug 4, 2017

With RSA Singapore now in the books, it’s time to look back on the event and a core theme of experiential learning. The stage was set for this with IBM’s Diana Keely highlighting how today’s attacks are rather reminiscent of successful tactics from the past — a form of cyber groundhog day. She

| MORE >