Key Findings from the 2022 Accelerate State of DevOps Report: Security, Software Supply Chain, and Cloud Adoption

In 2021, more than 22 billion records were exposed due to data breaches, harming many large companies and keeping security a top priority for enterprises. Accordingly, Google’s DORA (DevOps Research and Assessment) team released the 2022 Accelerate State of DevOps Report, emphasizing security. The report is based on a survey of 1,350 professionals, 68% of whom work in development, engineering, or IT operations and infrastructure, covering both large (over 10,000 employees) and small (20‑99 employees) organizations.

To examine the relationship between security and DevOps, the report explores software supply‑chain security. Researchers note that adopting best‑practice frameworks such as SLSA (Supply‑Chain Levels for Software Artifacts) and SSDF (Secure Software Development Framework) is challenging without CI/CD. “Without this critical infrastructure, organizations struggle to ensure a consistent set of scanners, linters, and tests run against the software artifacts they produce.”

Data show that among all practices promoted by SLSA and NIST SSDF, incorporating application‑level security scanning into the CI/CD pipeline for production releases is the most common, with 63% of respondents indicating it is “very” or “completely” in place. The next most adopted practices are preserving history and build scripts, while metadata signing and two‑person review have the greatest room for improvement.

Another key finding links software security to collaborative culture. “We found that the strongest predictor of an organization’s application‑development security practices is culture, not technology: a high‑trust, low‑blame culture focused on performance is 1.6 times more likely to adopt emerging security practices than a low‑trust, high‑blame culture focused on authority or rules.”

The report also examines software delivery and operational performance, classifying DevOps teams using four key metrics—deployment frequency, lead time for changes, mean time to restore, and change failure rate—and a fifth metric introduced last year, reliability. Based on these five metrics, the highest‑scoring teams deliver multiple deployments per day, keep lead time from code to production under a week, restore services within a day, and maintain a change failure rate below 15%.

The report notes an overall decline in performance this year. Unlike last year, there were no standout high performers, and the proportion of low‑performing organizations rose from 7 % in 2021 to 19 % this year. The authors speculate that the pandemic and its aftermath hampered innovation and knowledge sharing, increasing both high and low performers, though this conclusion lacks concrete data.

Additionally, cloud computing usage continues to rise. Public‑cloud adoption reached 76 %, up from 56 % in 2021. Only 10.5 % reported not using any cloud (including private). “Respondents who use cloud computing are 14 % more likely to exceed their organizational performance goals.” Over half of respondents use multiple cloud providers, a group that “demonstrates 1.4 times higher organizational performance.”