DevOps, which brings faster software updates, could help prevent the avalanche of records exposed in data breaches, but Google's research finds that existing practices don't meet the task at hand.
Google surveyed 33,000 tech pros to explore how DevOps – which broadly means aligning software development with IT operations – impacts cybersecurity as part of its annual Accelerate State of DevOps Report. As it notes, more than 22 billion records were exposed in 2021 through 4,145 publicly known breaches.
Google found that 63% of respondents used application-level security scanning as part of continuous integration/continuous delivery (CI/CD) systems for production releases. It also found that most developers were preserving code history and using build scripts.
That's a reassuring trend, although less than 50% were practicing two-person reviews of code changes and only 43% were signing metadata.
"Software supply chain security practices embodied in SLSA and SSDF already see modest adoption, but there is ample room for more," the report concludes.
Keeping staff happy can change security outcomes, too. Google found that employers who gave staff the option of hybrid working performed better and suffered lower burnout.
"Findings showed that organizations with higher levels of employee flexibility have higher organizational performance compared to organizations with more rigid work arrangements. These findings provide evidence that giving employees the freedom to modify their work arrangements as needed has tangible and direct benefits for an organization," Google notes.
Google waded into murky territory of asking respondents to forecast how work styles affected future bugs by asking them to predict the likelihood that a security breach or a complete outage would occur over the next 12 months.
People working at "high-performing organizations were less likely to expect a major error to occur," Google said.