2022 Accelerate

State of DevOps Report

Sponsored by
Table of contents

01 Executive summary 03
05 Surprises 55

02 Hyou
ow do
compare? 08
06 Demographics and
Firmographics 59

03 Hyou
ow do
improve? 07 Final thoughts 67

Introduction 19

Cloud 21
08 Acknowledgements 68

SRE and DevOps 26

Technical DevOps Capabilities 29

Culture 37
09 Authors 69

04 W hy supply chain
security matters 42
10 Methodology 73

11 Further reading 76

Accelerate State of DevOps 2022 Contents 2

01
Executive summary Derek DeBellis Claire Peters

For the last eight years, we have produced the

Accelerate State of DevOps report, hearing from
33,000 professionals along the way. Our research
focuses on examining how capabilities and
practices predict the outcomes that we consider
central to DevOps:

• Software delivery performance – The Four Key

Metrics of software delivery performance:
deployment frequency, lead time for changes,
change failure rate, and time to restore service.

• Operational performance – The Fifth Key

Metric, reliability.

• Organizational performance – How well

your organization meets performance and
profitability goals.

We also focus on the factors that underlie

other outcomes like burnout and the
likelihood that employees will recommend
their teams.

Accelerate State of DevOps 2022 Executive summary 3

Securing the
software supply chain

In 2021, we found that securing the software Adoption of good application development security
supply chain is essential to reaching many practices was correlated with additional benefits.
important outcomes. We found that teams that focus on establishing
these security practices have reduced developer
This year we dug deeper on software supply chain burnout; teams with low levels of security practices
security, making it a primary theme of our survey have 1.4x greater odds of having high levels of
and report. We leveraged the Supply Chain Levels for burnout than teams with high levels of security.1
Secure Artifacts (SLSA) framework to explore technical The teams that focus on establishing security
practices that support the development of software practices are significantly more likely to
supply chain security. We also used the National recommend their team to someone else. Further,
Institute for Standards and Technology’s Secure SLSA-related security practices positively predict
Software Development Framework (NIST SSDF) both organizational performance and software
to explore attitudes, processes, and non-technical delivery performance, but this effect needs
practices related to securing the software supply chain. strong continuous integration capabilities
in place to fully emerge.
We found that the biggest predictor of an
organization’s application-development security
practices was cultural, not technical: high-trust,
low-blame cultures focused on performance were
1.6x more likely to have above average adoption of
emerging security practices than low trust, high-
blame cultures focused on power or rules. We also
found early evidence suggesting that pre-deployment
security scanning is effective at finding vulnerable
dependencies, resulting in fewer vulnerabilities in
production code.

1 We conceptualize high in this stat as >= 1 standard deviation on the score (e.g. security) and low as <= -1 standard deviation on the score.

Accelerate State of DevOps 2022 Executive summary 4

Drivers of organizational
performance

Besides the security practices mentioned above, Cloud

the key variables that impact organizational
performance tend to fall in the following categories: We found that cloud usage is predictive of
organizational performance. Companies with software
Organizational and team culture initially built on and for the cloud tend to have higher
organizational performance. Using private clouds,
High-trust and low-blame cultures, as defined by public clouds, hybrid clouds, or a mixture of clouds,
Westrum, tend to have higher organizational corresponds with higher organizational performance
performance. Similarly, organizations with teams that feel than the use of on-premises servers alone. Those who
supported through funding and leadership sponsorships use multiple public clouds are 1.4x more likely to have
tend to have higher organizational performance. Team above average organizational performance than those
stability and positive perceptions about one’s team who don’t.
(likelihood to recommend team) also tend to lead to
higher levels of organizational performance. Lastly, Cloud usage also seems to impact organizational
companies that offer flexible work arrangements tend performance through other factors in our dataset.
to see high levels of organizational performance. One example is supply chain security, where we found
that organizations using public clouds were also more
Reliability likely to implement SLSA practices– perhaps because
cloud providers encourage and provide building blocks
Both the practices we associate with reliability for many SLSA practices, such as automating builds and
engineering (e.g., clear reliability goals, salient reliability deployments.2,3 The broader point is that using cloud
metrics, etc.) and the extent to which people report platforms opens a team up to inherit many capabilities
meeting their reliability expectations are powerful and practices that eventually flow into higher
predictors of high levels of organizational performance. organizational performance.”

2Jung, Sun Jae. “Introduction to Mediation Analysis and Examples of Its Application to Real-world Data.” Journal of preventive medicine and
public health = Yebang Uihakhoe chi vol. 54,3 (2021): 166-172. doi:10.3961/jpmph.21.069
3 Carrión, Gabriel Cepeda, Christian Nitzl, and José L. Roldán. “Mediation analyses in partial least squares structural equation modeling:
Guidelines and empirical examples.” Partial least squares path modeling. Springer, Cham, 2017. 173-195.

Accelerate State of DevOps 2022 Executive summary 5

Context matters
For a long time, DORA has taken into consideration that effects depend on broader team context. We believe
it’s important to understand a team’s characteristics (processes, strengths, constraints, and goals), and the
environment in which the work takes place. For example, a technical capability that is advantageous in one
context could be deleterious in another. This year we focused on explicitly modeling these hypothesized
conditions in the form of interactions; many of these hypotheses are supported by this year’s data:

• High software delivery performance is only reaches this level of SRE maturity, we don’t detect
beneficial to organizational performance when a relationship between SRE and reaching reliability
operational performance is also high. Delivering targets. As a team’s SRE adoption grows, however,
quickly might not matter if your service is unable to it reaches an inflection point where the use of SRE
meet users' reliability expectations. starts to strongly predict reliability. The improved
reliability then impacts organizational performance.
• Implementing software supply chain security
controls, like those recommended by the SLSA • Technical capabilities build upon one another.
framework, has a positive effect on software Continuous delivery and version control amplify
delivery performance when continuous integration each other’s ability to promote high levels of
is firmly established. Without continuous software delivery performance. Combining
integration capabilities in place, software continuous delivery, loosely-coupled architecture,
delivery performance and security controls version control, and continuous integration fosters
might be in conflict. software delivery performance that is greater than
the sum of its parts.
• The impact of Site Reliability Engineering (SRE)
practices on a team’s ability to reach reliability
targets is non-linear. Practicing SRE doesn’t
positively affect reliability until a team achieves
a certain level of SRE maturity. Before a team

Accelerate State of DevOps 2022 Executive summary 6

The conditions upon which delivery depends, and We know this because, overall, teams that do this
the need to understand a team’s broader context, have higher organizational performance. Not always
leads us to a conclusion that is similar to this (what works for one organization does not necessarily
insight from 2021: work for another), but most of the time. As you engage
in your own experiments with DevOps practices,
“To make meaningful improvements, teams must be prepared for the occasional failure as you hone
adopt a philosophy of continuous improvement. in on what works for your team.
Use the benchmarks to measure your current
state, identify constraints based on the capabilities This year we also uncovered a number of surprises
investigated by the research, and experiment in the data but you’ll have to read on to find out
with improvements to relieve those constraints. what those are.
Experimentation will involve a mix of victories and
failures, but in both scenarios teams can take
meaningful actions as a result of lessons learned.”

Teams that recognize

Indeed, we found an effect this year that is deeply
aligned with this overarching philosophy: teams that
the need to continuously
recognize the need to continuously improve tend to have improve tend to have higher
higher organizational performance than those that don’t. organizational performance
than those that don’t.
In short, teams need to continuously adapt, and
to experiment with software development practices.

Accelerate State of DevOps 2022 Executive summary 7

02
How do you compare? Derek DeBellis

Are you curious about how your team compares to The second clustering approach includes a fifth metric,
others in the industry? This section includes the latest reliability, which we use to understand operational
benchmark assessment of DevOps performance. performance. Why add a new metric to the cluster
We examine how teams develop, deliver, and operate analysis? Because we have consistently seen the
software systems, and then segment respondents into importance of this metric. Indeed, we have evidence
clusters that capture the most common combinations that suggests that delivery performance can be
of DevOps performance. detrimental to organizational performance if not
paired with strong operational performance. Unlike
This year we include two different clustering approaches. our traditional clustering approach, this is a descriptive
The first is based on historical precedent. This clustering exercise that attempts to paint a picture of common
approach focuses on creating clusters based on four ways teams perform across delivery and operational
metrics that capture software delivery performance: lead performance. Hence, it isn’t always obvious which
time, deployment frequency, time to restore service, and cluster is better.
change failure rate. We summarize each of these below.
The goal of this approach is to help you quantify your First, let’s look at a brief overview of the five
team’s current performance so that you can compare measures we’re using to understand software
your performance to other teams. delivery and operational performance.

Accelerate State of DevOps 2022 How do you compare? 8

Software delivery and
operational performance
To meet the demands of their ever-changing to capture operational capabilities. Teams that excel
industries, organizations must deliver and operate in all five measures exhibit exceptional organizational
software quickly and reliably. The faster your teams performance. We call these five measures software
can make changes to your software, the sooner you delivery and operational (SDO) performance. Note
can deliver value to your customers, run experiments, that these metrics focus on system-level outcomes,
and receive valuable feedback. With eight years of which helps avoid the common pitfalls of tracking
data collection and research, we have developed and software metrics, that may result in pitting functions
validated four metrics that measure software delivery against each other and making local optimizations
performance. Since 2018, we’ve included a fifth metric at the cost of overall outcomes.

Accelerate State of DevOps 2022 How do you compare? 9

 Lead time MTTR
for changes

Five metrics of delivery

and operational performance

The four metrics of software delivery performance Deployment Change

can be considered in terms of throughput and stability. frequency failure rate

We measure throughput using lead time for code

changes (that is, time from code commit to release
in production), and deployment frequency.
We measure stability using time to restore a service
Operational
after an incident and change failure rate.

A fifth metric represents operational performance

and is a measure of modern operational practices.
We base operational performance on reliability, Reliability
which is how well your services meet user expectations,
such as availability and performance. Historically we
measured availability rather than reliability, but because
availability is a specific focus of reliability engineering,
we expanded to measure reliability in 2021 so that
availability, latency, performance, and scalability would
be more broadly represented. Specifically, we asked
respondents to rate their ability to meet or exceed
their reliability targets. We found that teams with
varying degrees of delivery performance see better
outcomes (e.g., less burnout) when they also prioritize
operational performance.

Accelerate State of DevOps 2022 How do you compare? 10

Historical clustering approach: solution invariably suggested that three clusters
clustering delivery performance best captured the data, regardless of the clustering
techniques applied. The table below describes the
This year, when evaluating the four-cluster solution delivery performance characteristics for each cluster.
we’ve used since 2018, we noticed that the data
showed a clear low performance cluster and a clear The striking difference from last year is that we don’t
high performance cluster. However, the two clusters consider any cluster to be elite this year. This year’s
that we would traditionally use to demarcate medium high cluster is a blend of last year’s high and elite
performance and high performance were not clusters. We decided to omit an elite cluster because
differentiated enough to warrant a split. Furthermore, the highest performing cluster simply isn’t indicating
the various indices that we use to pick the right cluster enough of the characteristics of last year’s elite cluster.

Software delivery performance metric Low Medium High

Deployment frequency Between once per Between once On-demand

month and once per week and (multiple
For the primary application or service you work on, how often does your
every 6 months once per month deploys per
organization deploy code to production or release it to end users?
day)

Lead time for changes Between one Between one Between one
month and six week and one day and one
For the primary application or service you work on, what is your lead time
months month week
for changes (i.e., how long does it take to go from code committed to code
successfully running in production)?

Time to restore service Between one Between one day Less than
week and one and one week one day
For the primary application or service you work on, how long does it generally
month
take to restore service when a service incident or a defect that impacts users
occurs (e.g., unplanned outage or service impairment)?

Change failure rate 46%-60% 16%-30% 0%-15%

For the primary application or service you work on, what percentage of
changes to production or released to users result in degraded service (e.g.,
lead to service impairment or service outage) and subsequently require
remediation (e.g., require a hotfix, rollback, fix forward, patch)?

Accelerate State of DevOps 2022 How do you compare? 11

It suggests that this sample doesn’t represent teams All that said, if you compare this year’s low, medium
or organizations with employees who feel they have and high clusters with last year’s, you’ll see that there
forged ahead. One possible hypothesis, which we is a shift toward slightly higher delivery performance.
currently lack the data to support, is that software It appears that this year’s clusters are between two of
development has seen reduced innovation in terms of last year’s. 2022’s high cluster is between 2021’s high
practices, tooling, and information sharing. This could and elite. 2022’s low cluster seems to be between
be the result of the ongoing pandemic hampering 2021’s low and medium. The shift upwards for the low
the ability to share knowledge and practices across performance cluster suggests that while the ceiling
teams and organizations. There might have been fewer for delivery performance has been lowered, the floor
opportunities to gather and learn from one another, has been raised.
which, in turn, might have slowed innovation. We are
hopeful to do a deeper dive to explore what underpins
this finding.

7%
2018 2019 2021 2022
20% 26% N/A
Elite Elite Elite Elite

48% 11%
High
23% High
High 40%
High

69%
44% Medium
37%
Medium Medium 28%
Medium

15% 12% 7% 19%

Low Low Low Low

Accelerate State of DevOps 2022 How do you compare? 12

The percentage breakdowns in the table above,
show that the percentage of high performers is at a
4-year low, while the percentage of low performers
rose dramatically, from 7% in 2021 to 19% this year.
Over two-thirds of this year’s respondents fall into
the medium cluster. The clear drop in high and elite
performers might suggest that many of this year’s
respondents are in organizations or on teams that
either haven’t established, or are in the process of
establishing, a DevOps culture that we’re seeing
emerge across many modern teams.

We might be focusing too much on the differences

between 2021 and 2022, rather than highlighting the
similarities. The clusters from 2021 and 2022 share
many characteristics, including a huge separation
between high performers from low performers. For
example, high performers are estimated1 to have
417x more deployments than low performers.

1 See “Methodology” section to

understand what is behind this estimate

Accelerate State of DevOps 2022 How do you compare? 13

Clustering delivery performance in our models. For organizations that do not show
and operational performance solid operational performance, throughput and
stability have less of an impact on organizational
We decided to do a cluster analysis on the three performance. We feel that describing the landscape
categories the five metrics are designed to represent: of DevOps performance without accounting for
throughput (a composite of lead time of code changes operational performance leaves out a crucial part
and deployment frequency), stability (a composite of of the picture.
time to restore a service and change failure rate) and
operational performance (reliability). The reason for Exploring the data led us to a four cluster solution. Here
this was the pivotal role operational performance plays is a breakdown of the four clusters and their names:

Operational
Stability Throughput
Performance
Cluster % respondents
Time to restore Deployment
Change failure rate Reliability Lead time
service frequency

Between one Between once per

Between one day and Sometimes meet
Starting 31%-45% week and one week and once per 28%
one week expectations
month month

On demand
Usually meet
Flowing Less than one hour 0%-15% Less than one day (multiple deploys 17%
expectations
per day)

Between one Between once per

Usually meet
Slowing Less than one day 0%-15% week and one week and once per 34%
expectations
month month

Between one Between once per

Between one month Usually meet
Retiring 46%-60% month and six month and once 21%
and six months expectations
months every 6 months

Accelerate State of DevOps 2022 How do you compare? 14

 Each cluster has unique characteristics
and accounts for a substantial proportion
of the responses.

The Starting cluster performs neither well nor

poorly across any of our dimensions. This cluster
If you visited two teams in the same cluster, might be in the early stages of their product, feature,
however, they’d likely come across as very different, or service’s development. They might be less focused
and our story might not capture what you see. on reliability because they’re focusing on getting
The story we provide for each cluster above is an feedback, understanding their product-market fit,
attempt to use our experience working with many and more generally, exploring.
teams to make these patterns in the data intelligible.
Further, if you visited the same team at two different
The Flowing cluster performs well across all
points in time, it is possible that they would not have
characteristics: high reliability, high stability,
stayed in the same cluster. One possible reason for
high throughput. Only 17% of respondents are
this could be that the team has either improved or
in this flow state.
degraded; another possibility is that the team has
moved into a deployment pattern more appropriate
Respondents in the Slowing cluster do not deploy
for the current state of its application or service.
too often, but when they do, they are likely to succeed.
For example, at an earlier point in an application
Over a third of responses fall into this cluster, making it
or service’s development, a team might have been
the largest and most representative of our sample. This
focused on exploring (Starting cluster), but as they
pattern is likely typical (though far from exclusive) to a
start to find their niche, they may shift their focus
team that is incrementally improving, but they and their
to reliability (Flowing cluster or Slowing cluster).
customers are mostly happy with the current state
of their application or product.

And finally, the Retiring cluster looks like a team

that is working on a service or application that is still
valuable to them and their customers, but no longer
under active development.

Accelerate State of DevOps 2022 How do you compare? 15

These clusters differ notably in their practices and Curiously, the Flowing cluster tends to focus less on
technical capabilities. Given the high levels of documentation. Last year, we found that documentation
software delivery and operational performance practices are central to both delivery performance and
demonstrated by the Flowing cluster, we decided operational performance (SDO). How does the Flowing
to look into how they differ from the other clusters cluster have strong SDO performance without a heavy
in their practices and technical capabilities. We found focus on documentation? For one, there are many routes
that relative to other clusters, the Flowing cluster to strong SDO performance outside of documentation.
focuses more on: Further, perhaps the Flowing cluster is continuously
refactoring its code to create a more self-documenting
• Loosely-coupled architectures: the extent process and, thereby, have less of a need for documents
teams can make large-scale changes to the as we describe them in the survey.
design of their system without depending on
other teams to make changes in their systems The Slowing cluster, which makes up the highest
proportion of our respondents, tends to be made up of
• Providing flexibility: how flexible a company is with respondents from larger organizations that tend to be less
regard to employee work arrangements cloud-native than other clusters. Picture a very mature
company with some calcified processes that, at the end
• Version control: how changes to application of the day, still provides end-users with stable and
code, system configuration, application reliable (and valuable) experiences. This cluster exhibits
configuration, etc. are managed a performance oriented, generative culture.2 One of the
Slowing cluster’s most interesting characteristics is that
• Continuous integration (CI): how frequently it has low throughput and high positive-work-culture (a
branches are integrated into the trunk “generative” work culture, according to Westrum); this
is an uncommon combination. It’s more common to see
• Continuous delivery (CD): capabilities focused proportional throughput and work culture (high/high or
on getting changes into production safely, low/low). We hope to conduct future research to better
sustainably and efficiently understand the relationship between throughput and culture.

2 (Westrum)

Accelerate State of DevOps 2022 How do you compare? 16

We also looked at how these different clusters • There are features that underlie these
compare on three outcomes: burnout, organizational four clusters that may not be in our data.
performance, and unplanned work. What we found broke For example, organization size may be a decent
our expectations. The Retiring cluster outperformed the proxy for maturity. The Flowing cluster tends to
other clusters in organizational performance. Looking be from smaller companies, which may indicate
at the characteristics of this cluster (poor stability and their products are in more formative stages.
poor throughput) this is seemingly at odds with most
of DORA’s previous findings. But instead of blaming • The members of the Flowing cluster tend to
randomness for creating an anomaly (highly possible), be from smaller companies, which may be less
we want to explore some possible explanations. bound by historical processes and infrastructure
and, as a consequence, have more sophisticated
When trying to unpack these findings, there is an DevOps processes in place. That said, the
important complementary finding to keep in mind. data show that an organization’s size is
The Retiring cluster achieves high organizational positively correlated with organizational
performance at a great cost: its teams have the highest performance for reasons that may be largely
burnout rates, feel the most susceptible to errors, unrelated to technology.
and are burdened with the most unplanned work. In
tandem, these results suggest that reliability might be • The Flowing cluster tended to disregard the
enough to achieve high organizational performance, principles described in Westrum’s generative
but without speed and stability, your team will pay the culture. We have seen that this is often to the
cost of burnout and unplanned work. detriment of organizational performance.

We have other hypotheses to explain why the Retiring • Organizations in each cluster may differ on what
cluster has higher organizational performance than the they mean by reliability expectations and how
other clusters, particularly the Flowing cluster. Here is they monitor them. The same goes for how they
a quick list. define their organizational performance goals.

Accelerate State of DevOps 2022 How do you compare? 17

• The Retiring cluster may have high short-term We’re excited to continue exploring new ways
organizational performance, but we wonder how to describe variations within the industry. Going
they would perform long-term. Will the burnout forward, we want to continue to include operational
result in turnover? Will they be able to scale performance as a relevant dimension in our
their processes? understanding of these variations. We also want
to avoid highly prescriptive and evaluative clusters
• We are asking the questions at varying levels. (e.g., Elite), and instead concentrate on the simply
The technical capabilities (for example, loosely- descriptive exercise of identifying common
coupled architecture) are asked at the level of the constellations of SDO performance.
team; the organizational performance questions
are asked at the level of the organization.
Organizations often have many teams, and
it is possible for the respondent to recognize
that while their organization is functioning well,
the team they’re working on isn’t.

Further, the Flowing cluster scores second highest

on organizational performance behind the Retiring
cluster, and has some of the lowest levels of burnout
and unplanned work. As demonstrated by both the
Flowing and Slowing clusters, a DevOps philosophy
is most effective when reliability is in place.

Accelerate State of DevOps 2022 How do you compare? 18

03
How do you improve? Derek DeBellis

How do you improve across

a multitude of outcomes?
The State of DevOps report is designed to provide
evidence-based guidance to help your team focus
on the DevOps practices and capabilities that get to
the outcomes you care about. This year we expanded
our investigation into both security and the set of
outcomes teams desire. In the past, we focused on
software delivery and operational performance (SDO)
and organizational performance outcomes. We still
do, but we also wanted to explore burnout, likelihood
to recommend the team, unplanned work, and error
proneness, not only as a means to improve SDO
and organizational performance, but also as ends in
themselves. Consequently, this year, we made sure
to call out practices and capabilities that seem to
exert an influence on these outcomes.

Accelerate State of DevOps 2022 How do you improve? 19

The research model shifted this year to better reflect Beyond the four keys
a theory underlying DORA: there isn’t a one-size-fits-
all approach to DevOps. In practice, we’ve found that How do DORA metrics
making recommendations involves understanding a improve the performance of
team’s broader context. A practice that is beneficial to development and operations?
one team might be detrimental to another team. For A cross-functional team of
example, we have long hypothesized that technical software engineers at Liberty
capabilities (such as loosely-coupled architecture, Mutual Insurance regularly
trunk based development, version control, and reviews performance using
continuous integration) have a more pronounced DORA’s “four keys” metrics.
positive impact on software delivery performance For example, Jenna Dailey, Sr.
when continuous delivery is in place. This year we Scrum Master at Liberty Mutual,
explicitly modeled this and other interactions. The shared that a squad leveraged
goal is to enhance our understanding from simply DORA’s research to help the
“what has an effect on what?” to include “under what team identify a bottleneck,
conditions do these effects exist, get amplified, or move towards a test-driven
get attenuated?” Understanding all this conditionality development approach, and
has proven to be a complicated and mind-bending realize improvements in their
endeavor, but we’re excited to share with you some of overall performance.
these early findings.
Learn more about Liberty
You can find this year’s and previous years’ research Mutual’s approach to leveraging
models online on our website. data and DORA metrics to
improve the quality and delivery
of software in their recent
Tomorrow Talks.

Accelerate State of DevOps 2022 How do you improve? 20

 Eric Maxwell

Cloud

36% 25%
Building on the momentum we have seen over the
past several years, the use of cloud computing
continues to accelerate. In fact, the percentage of
people reporting the use of public cloud, including increase in the use increase in hybrid
multiple clouds, is now 76%, up from 56% in 2021. of public cloud cloud usage
The number of people reporting no cloud usage at
all, including those that do not use private cloud,
dropped to just 10.5%, down from 21% last year. The
use of multiple public clouds rose from 21% to 26%,
and hybrid cloud usage is up 25% to 42.5%. We also
saw a small increase in the use of private cloud to
32.5%, up from last year’s reporting of 29%.

Accelerate State of DevOps 2022 How do you improve? 21

The use of cloud computing has a positive impact on overall
organizational performance. Respondents that used cloud
were 14% more likely to exceed in organizational
performance goals than their non-cloud using peers.

As we have shown in previous years, and continue to failure rate. This warrants further investigation. Instead
validate in this report, the use of cloud computing has a of speculating on the reasons for this, we’ll investigate
positive impact on overall organizational performance. further in future research. But with few exceptions, the
Respondents that used cloud were 14% more likely use of cloud-native applications (applications that were
to exceed in organizational performance goals than originally designed and architected for the cloud) stood
their non-cloud using peers. Our research shows that out with positive signals on everything we surveyed.
cloud computing enables teams to excel at things
like software supply chain security and reliability and Use of any cloud computing platform, public or
those things lead to organizational performance. private, positively contributes to culture and work
environment outcomes (for example, generative
Surprisingly, users of all types of cloud – public, private, culture, lower burnout, more stability, and higher
hybrid, and multi – showed a negative association employee satisfaction). Cloud users scored 16%
with change failure rate, meaning an increased change higher on these cultural outcomes.

Cloud usage continues to accelerate YoY

% change
2022
over 2021

Hybrid cloud 42.47% 25%

Public and/or Multiple public 76.08% 36%

Private Cloud 32.55% 12%

No Cloud 10.55% -50%

Accelerate State of DevOps 2022 How do you improve? 22

The use of hybrid and multi-cloud (and private) seems to
have a negative impact on software delivery performance
indicators – MTTR, lead-time, and deployment frequency –
unless respondents had high levels of reliability.

Hybrid and multi-cloud the importance of a robust SRE practice and

drive organizational performance the role reliability plays in software delivery.

We continue to see strong signals that the use of In 2021 we asked respondents to tell us their primary
hybrid cloud and multiple public clouds has a positive reason for utilizing multiple public clouds, whereas in
impact on organizations. Practitioners who used 2022 we asked participants to tell us all the benefits
multiple clouds showed a 1.4x higher organizational they realize from utilizing multiple cloud providers.
performance compared to non-cloud users. However, Availability was the number one most reported
use of hybrid and multi-cloud (as well as private cloud) benefit, which coincides with the attention and focus
seem to have a negative impact on several software we have seen in the industry around reliability — you
delivery performance indicators (MTTR, lead-time, and can not have reliable services unless they are available.
deployment frequency) unless respondents also have Over 50% of practitioners reported leveraging the
high levels of reliability. This finding further speaks to unique benefits of different cloud providers.

​​Benefits realized by adopting multiple cloud providers

50%
of respondents reported
using multiple cloud providers.

Accelerate State of DevOps 2022 How do you improve? 23

The use of the five characteristics of
cloud computing is a crucial beginning
to a long causal chain that leads to
organizational performance.

The five characteristics The customer generally has no direct control over
of cloud computing the exact location of the provided resources, but
can specify a location at a higher level of abstraction,
In keeping with our previous research approach, such as country, state, or data center.
we sought not simply to learn if participants were
using cloud computing technologies, but how they’re Rapid elasticity – Capabilities can be elastically
using cloud computing technologies. We achieved provisioned and released to rapidly scale outward or
this by asking about the five essential characteristics inward with demand. Consumer capabilities available
of cloud computing, as defined by the National for provisioning appear to be unlimited and can be
Institute of Standards and Technology (NIST). appropriated in any quantity at any time.

On-demand self-service – Consumers can provision Measured service – Cloud systems automatically
computing resources as needed, automatically, control and optimize resource use by leveraging
without any human interaction required on the a metering capability at a level of abstraction
part of the provider. appropriate to the type of service, such as storage,
processing, bandwidth, and active user accounts.
Broad network access – Capabilities are widely Resource usage can be monitored, controlled, and
available and consumers can access them through reported for transparency.
multiple clients such as mobile phones, tablets,
laptops, and workstations. This report validates the previous three years of
DORA research, concluding that the presence of
Resource pooling – Provider resources are pooled in these five characteristics in an organization
a multi-tenant model, with physical and virtual resources positively affects software delivery and operations
dynamically assigned and reassigned on demand. performance. We also found that these characteristics

Accelerate State of DevOps 2022 How do you improve? 24

lead to better organizational performance by setting
processes in motion that affect the organization in
positive ways. Exhibiting the five characteristics of
cloud computing is the first step in a long journey that
leads to higher organizational performance.

In 2022 we see that teams are increasingly taking

advantage of cloud computing differentiators. For the
4th year in a row, we are seeing growing adoption of
the five characteristics of cloud computing. Resourcer
Pooling saw the largest increase of 14% and Rapid
Elasticity, which was the second most used feature
last year, saw the smallest rise of 5%.

14%
increase in
resource pooling

Accelerate State of DevOps 2022 How do you improve? 25

 Dave Stanke

SRE and DevOps

A successful technology team contributes more to which teams are able to achieve their reliability targets.
their organization than shipping code — more, even, Both inputs and outputs — SRE practices and reliability
than shipping quality code. They also ensure that the outcomes — are reflected in our predictive model
services they deliver remain available, performant, and alongside other DevOps capabilities.
otherwise consistent with users’ expectations over
time. Reliability is a multi-faceted measure of how well Reliability is essential
a team upholds these commitments, and this year we
continued our explorations into reliability as a factor in SRE adoption is widespread among the teams we surveyed:
software delivery and operations. a majority of respondents use one or more of the practices
we asked about. Across this breadth of teams, the data
Site Reliability Engineering (SRE) is an influential reveal a nuanced relationship between reliability, software
approach to operations which originated at Google delivery, and outcomes: when reliability is poor, software
and is now practiced in many organizations. SRE delivery performance does not predict organizational
prioritizes empirical learning, cross-functional success. However, with better reliability, we begin to see the
collaboration, extensive reliance on automation, and positive influence of software delivery on business success.
the use of measurement techniques including Service
Level Objectives (SLOs). Other modern operations
practices employ similar methods but apply different
naming conventions. Therefore, to assess the extent of
Without reliability, software
these practices as objectively as possible, our survey delivery performance doesn’t
takes care to use neutral, descriptive language in the predict organizational success.
text that we present to respondents. We also collect data
on the outcomes of reliability engineering: the extent to

Accelerate State of DevOps 2022 How do you improve? 26

Investment in SRE yields
improvements to reliability,
but only once a threshold of
adoption has been reached.

This phenomenon is consistent with the use of the SRE or even regressions. Those who persist through these
“error budget” framework: when a service is unreliable, challenges, however, often experience renewed and
users won’t benefit from pushing code faster into that sustained levels of elevated achievement.
fragile context.
Our research this year reveals a J Curve pattern across
As Site Reliability Engineers have long asserted, reliability the technology teams we studied: when teams engage
is the most important “feature” of any product. Our in fewer reliability engineering practices — suggesting
research supports the observation that keeping promises they are earlier in their journey of adopting SRE — these
to users is a necessary condition in order for improved practices don’t predict better reliability outcomes.
software delivery to benefit the organization. However, as teams adopt more SRE, they reach an
inflection point where the use of SRE starts to strongly
Acknowledge the J-Curve predict reliability, and in turn, organizational performance.

What challenges await you on the path to achieving

reliability? In their O’Reilly publication “Enterprise
Roadmap to SRE,”1 DORA survey contributors James
Brookbank and Steve McGhee reflect on their
experiences of implementing SRE in established
organizations, and recommend “acknowledging the J
Curve of change.” Previously described in the 2018 State
of DevOps Report, the “J Curve,” is a phenomenon in
which organizational transformations tend to exhibit
early success, followed by periods of diminished returns,

1 https://sre.google/resources/practices-and-processes/
enterprise-roadmap-to-sre/

Accelerate State of DevOps 2022 How do you improve? 27

 Dependable teams make
dependable services:
generative team culture
predicts better reliability.

Teams that are in the early stages of a journey Investing in people,

toward an SRE practice should be prepared for process, and tooling
setbacks along the way. It can be a long road
as culture, process, and tooling all realign to Reliability is a human endeavor, and in many ways
new guiding principles. But they can be assured the SRE approach exemplifies this. One of SRE’s
that, with time and continued investment, core principles is that user perception, as opposed
success is likely. to internal monitoring data, is the true measure
of reliability. So it’s perhaps unsurprising that
High
High
High reliability is driven by positive team dynamics. We
High
High
found that teams with a “generative” culture, one
that exhibits trust and collaboration, are more
likely to practice SRE, and more likely to achieve
outcomes
Reliability outcomes
outcomes
Reliability outcomes
Reliabilityoutcomes

good reliability outcomes. Stable teams, whose

membership is consistent across time, also deliver
Reliability
Reliability

greater reliability for user-facing services. And,

as with DevOps as a whole, reliability engineering
efforts benefit from augmenting human efforts
with process and tooling. Practices such as the use
Low
Low
Low of cloud computing and continuous integration are
Low
Low
Low
Low
Low Low
Low Adoption
Adoption
Adoption of
ofof
SRESRE practices
practices
SRE practices High predictive of better reliability outcomes.
High
High
Adoption
Adoption ofof SRE
SRE practices
practices High
High

Teams that persist beyond initial steps of SRE adoption

see increasing improvement in reliability outcomes

Accelerate State of DevOps 2022 How do you improve? 28

 Eric Maxwell

Technical DevOps Capabilities

How do we improve? State of DevOps 2022: Sponsor briefing

This year, we looked at a variety of technical capabilities

Technical DevOps
to understand the outcomes that are capabilities
driven by different
technical practices. We considered two broad phases of
software development: the “inner loop,” which comprises
developer tasks such as coding, testing, and pushing
to version
This year, we lookedcontrol,
at aand the “outer
variety loop,” which
of technical includes to understand the
capabilities
outcomes that are
activities suchdriven bymerge,
as code different technical
automated codepractices.
review, We considered two
broad phases of software
test execution, development:
deployment, the “inner loop,” and the “outer loop
and release.

Our res
that exc
develop
Integrate faster a
Code reliabili

Push
Deploy
Inner Loop Outer Loop Test

Test Build

Release

Accelerate State of DevOps 2022 How do you improve? 29

High performers who
meet reliability targets are
1.4x more likely to use Cl.

Our research shows that companies that excel in In fact, respondents who make higher-than-average
inner and outer loop development are able to ship use of all of the above capabilities have 3.8x higher
code faster and with higher levels of reliability. organizational performance than those who do not
The capabilities that contribute most to high use these technical capabilities.
performance are version control, continuous
integration, continuous delivery, and loosely- Continuous integration
coupled architecture.
Continuous Integration, often referred to as CI, is a part of
High performers who the outer loop development process that automatically
meet reliability targets are: builds an artifact and runs a series of automated tests for
every code commit in an effort to assess whether code

33% more likely to

use version control
is ready to be deployed. This process provides quick,
automated feedback to the developer, allowing them to
operate with higher levels of confidence. CI is a key part of

39%
taking code from a developer’s workstation to production.
more likely to practice
As in previous years, CI is shown to drive delivery
continuous integration
performance. High performers who meet reliability
targets are 1.4x more likely to use CI than others.

46% more likely to practice

continuous delivery This year we dove a bit deeper into the other part
of the outer loop development process: continuous

40%
more likely to have delivery, which we will describe in a later chapter. But
systems based on a loosely- first, let’s take a look at a complementary component to
coupled architecture continuous integration: trunk-based development.

Accelerate State of DevOps 2022 How do you improve? 30

Trunk-based development Individuals with 16+ years of experience that use
trunk-based development realize the benefits of
Trunk-based development is the practice of the practice and see:
continuously merging code into the trunk and avoiding
long-lived feature branches. This practice is considered  Increased overall software delivery performance
a complement to continuous integration and has been  Decreased amounts of unplanned work
shown for years to accelerate software delivery velocity.  Decreased error-proneness
 Decreased change failure rate
Due to the shift in demographics this year around
years of experience on the job, we are able to see that This is likely due to the additional practices required
experience matters when implementing trunk-based to successfully implement Trunk-based development.
development. Last year we had 40% of respondents Teams that do not have rigorously enforced rules
state they had 16+yrs on the job and this year that around never walking away from a broken trunk or that
category represented just 13%. Continuing to validate do not use gated code branches and auto-roll back
our “Delivery Depends” theme, we see that folks with code that breaks the trunk will certainly experience
less experience overall have less positive results around pain when trying to develop on the trunk.
trunk-based development and see:
However, the presence of trunk-based
 Decreased overall software delivery performance development shows a positive impact on overall
 Increased amounts of unplanned work organizational performance.
 Increased error-proneness
 Increased change failure rate

Accelerate State of DevOps 2022 How do you improve? 31

 Frank Xu

Continuous Delivery

Continuous delivery (CD) is a software Last year, we examined the technical DevOps
development practice that: capabilities that predict the likelihood that a team
practices CD, and discovered that factors such as
1. Enables the team to deploy software to loosely-coupled architecture and continuous testing /
production or end users at any time integration were among the strongest predictors. This
2. Ensures the software is in a deployable year, in addition to examining the factors driving the
state throughout its lifecycle, including use of CD, we analyzed and identified the effects of
when working on new features CD alone as well as its interactions with other DevOps
3. Establishes a fast feedback loop that enables capabilities on development outcomes.
the team to check the quality and deployability
of the system, and prioritizes fixing issues CD drives software delivery
blocking deployment. performance
Similar to previous years’ findings, the use of CD is a
Note that continuous delivery does not necessarily predictor of higher software delivery performance, both
imply continuous deployment, the practice in which alone and in combination with other DevOps capabilities.
every software build is automatically deployed. Teams that rated higher on CD are more likely to have
Continuous delivery requires only that a software higher frequency of deploying code to production, and
build can be deployed at any time. shorter lead time for changes and service restoration.

Accelerate State of DevOps 2022 How do you improve? 32

 Technical practices and CD
Our research has regularly shown that a broad
Teams that combine version set of technical capabilities support CD. This year,
control and continuous we explored what happens when some of these

delivery are 2.5x more likely to individual capabilities are used in conjunction with
CD. We found that trunk-based development and
have high software delivery
loosely-coupled architecture, together with CD,
performance than teams that may have a negative impact on a team’s performance.
only focus on one. For example, we see evidence that teams who are
adopting loosely-coupled architectures and CD
together are 43% more likely to anticipate more than
average error proneness (i.e., product outages, security
In addition, respondents are 2.5x more likely to report vulnerabilities and significant performance degradation
higher software delivery performance when their team to happen to their services), compared to teams
also adopts version control practices. that only adopted CD. These effects require further
investigation and point to some potential friction for
CD can increase unplanned work teams who are improving. This friction may be related
The data suggested that continuous delivery leads to to the J-curve of transformation wherein teams realize
developers spending more time on rework or unplanned early improvements but then falter as they move beyond
work. A hypothesis for this finding is that developers are the low-hanging fruit. Commitment to improvement is
more likely to build applications iteratively when there are required to realize its full potential. When improving any
tighter feedback loops. As a result they may view some capability, such as CD, be sure to watch after the effects
iterative changes as unplanned work on the same part of on the team and overall performance.
the system. This work may be simultaneously unplanned
and driven by feedback from a previous deployment.

Accelerate State of DevOps 2022 How do you improve? 33

 David Farley

Loosely-coupled Architecture
Loosely-coupled systems are important to the
effectiveness of teams and organizations. This doesn’t
just apply to cloud- or microservice-based systems
— it has to do with an organization’s ability to make
change. The ease with which an organization can safely
and confidently change its software is a marker of the
software’s quality.

With a loosely-coupled architecture teams can:

• Make large-scale changes to the design of their
system without having to depending on other
teams to make changes in their systems
• Get faster feedback through independent,
on-demand testing with lower coordination costs
• Deploy code with negligible downtime

In this year’s report, we asked respondents to

describe whether or not the software they build
is based on a loosely-coupled architecture.
The results were intriguing, and showed a
variety of mostly positive associations between
the presence of loosely-coupled architecture and
teams’ performance across multiple dimensions.

Accelerate State of DevOps 2022 How do you improve? 34

The benefits of a managing hundreds of services. However, loose coupling
loosely-coupled architecture is more than a simple measure of the count of services in
a system. Components in a loosely-coupled architecture
Teams that focus on building software with loosely- can be deployed independently. This independence allows
coupled architectures are in a better position to teams to develop, test, and deploy their services without
perform strongly across stability, reliability, and expensive coordination overhead between teams.
throughput. These teams are also more likely to
recommend their workplace to a friend or colleague. In the real world, loose coupling is not restricted to one
architectural style; fundamentally, it’s the ability to make
It’s common to see software that uses a loosely-coupled a change in one part of the system, without that change
architecture from teams that are deploying to the cloud impacting other parts. This allows organizations to divide
and adopting a microservices architectural approach, up their work, so that individual teams can make progress
without having to coordinate with other teams.

In our experience, teams that require deep integration

Teams that focus on building testing with other services as a way to build confidence
in their software before it’s deployed have not yet
software with loosely-
achieved loose coupling; to do so, these teams would
coupled architectures are in benefit from improving the interfaces and isolation
a better position to perform between systems. One effective way to improve

strongly across stability, interfaces and isolation is by improving the ‘testability’

of services and components. If your design allows you
reliability, and throughput.
to test your service in isolation, then its interface is,
by definition, loosely-coupled.

Accelerate State of DevOps 2022 How do you improve? 35

We also found that cohesive, stable teams that use Surprising findings
loosely-coupled architecture are more likely to use
software development practices that encourage and This year’s research revealed that loosely-coupled
support continuous improvement. For example, SRE architecture might contribute to burnout on teams.
practices such as setting reliability goals to prioritize This is a surprising finding that contradicts findings
work or performing regular reviews to revise reliability from previous years. Our analysis shows that stable
targets based on evidence, both support loosely- teams where information flows freely have lower levels of
coupled architecture. burnout. Westrum’s generative culture and team stability
both support loosely-coupled architecture and decrease
Loosely-coupled architectures also allow the burnout, so this is clearly contradictory. More research is
organization to more easily add employees, as required before we can draw definitive conclusions.
independent teams that don’t need to coordinate
with other teams are freer to increase the size of At the same time, when security requirements are defined
their teams independently. and controlled by a consolidated security organization,
it may be more difficult for teams to decouple their
In short, loose coupling of software services software from other teams. This further demonstrates
impacts more than just technical impact. It also the benefit of shifting security concerns to the team that
affects the socio-technical aspects of software is most responsible for the application (see also: Why
development. Coupling is at the root of Conway’s Law — supply chain security matters). This is one of the more
the idea that an organization’s design systems mirror their subtle forms of coupling in organizations, and though
own communication structure. More loosely-coupled we have collected the data on security, this is likely to
systems mean more loosely-coupled organizations with be equally true of other centralized functions. Allowing
a more distributed, scaleable, approach to development. teams to make their own decisions on security, and other
frequently centralized functions, is one way to make
progress toward reaping the benefits that using loosely-
coupled architecture can impart to your organization.

Accelerate State of DevOps 2022 How do you improve? 36

 Daniella Villalba

Culture
“Well, this is how things are done around here.”

People have likely uttered this phrase countless

times and across a wide range of industries to
describe their organization’s approach to
challenges and opportunities.

Every organization has its own unique culture,

and our research has consistently shown that
culture is foundational to an organization’s success
and the well-being of its employees.

Culture is also a necessary aspect of DevOps

since, at the most basic level, DevOps is about
tools, practices, and how people work together
to develop and deliver software quickly, reliably,
and safely. Understanding the factors that impact
an organization’s culture can help leadership tackle
culture-related challenges head-on. Therefore,
fostering a healthy culture should be a priority for
organizations. If left unaddressed, these culture-
related challenges may hinder DevOps practices
from taking hold.

Accelerate State of DevOps 2022 How do you improve? 37

This year we continued to use Westrum’s organizational pathological culture. Employees at organizations with
typology to measure the health of an organization’s a generative culture are more likely to belong to stable
culture. In addition, we expanded our understanding teams, produce higher-quality documentation, and
of culture by measuring team churn, flexible work spend most of their time engaged in meaningful work.
arrangements, perceived organizational buy-in,
and burnout. Team Churn

Data from this year’s research support previous findings We investigated team churn and found that stable
that organizational performance is impacted by the teams — teams whose composition hadn’t changed
type of culture that exists within an organization. much over the last 12 months, were more likely to exist
Specifically, a generative culture is associated with within high-performing organizations. Constant churn
higher levels of organizational performance compared can impact productivity and morale as new team
to organizations characterized by a bureaucratic or members need time to onboard. And those who stay

Westrum Organizational culture

Pathological Bureaucratic Generative

Power oriented Rule oriented Performance oriented

Low cooperation Modest cooperation High cooperation

Messengers are “shot” Messengers are neglected Messengers are trained
Responsibilities shirked Narrow responsibilities Responsibilities are shared
Bridging discouraged Bridging tolerated Bridging encouraged
Failure leads to scapegoating Failure leads to justice Failure leads to inquiry
Novelty crushed Novelty leads to problems Novelty implemented

Accelerate State of DevOps 2022 How do you improve? 38

might need to adapt to changes in their workload and in-person, or hybrid options was associated with higher
team dynamics. In addition, our research showed that organizational performance. Findings showed that
stable teams were more likely to report producing organizations with higher levels of employee flexibility
quality documentation compared to teams that have higher organizational performance compared to
experienced more churn. A team that is constantly organizations with more rigid work arrangements. These
dealing with change may have a harder time keeping findings provide evidence that giving employees the
up with practices that lead to quality documentation. freedom to modify their work arrangements as needed
has tangible and direct benefits for an organization.

Burnout
High performing
organizations are more Burnout is a feeling of dread, apathy, and cynicism

likely to have flexible surrounding work. When people experience burnout,

they are not just unmotivated and exhausted, they are
work arrangements.
also more likely to have lower job satisfaction, which can
increase employee turnover. Burnout has been linked to
a wide range of poor psychological and physical health
Flexible work arrangements outcomes such as increased risk for depression and
anxiety, heart disease, and suicidal thoughts1.
Given the shift to flexible work arrangements that many
organizations have adopted since the outbreak of the Last year we measured burnout in the context of the
COVID-19 pandemic, we investigated whether giving COVID-19 pandemic and found that a generative culture
employees the freedom to choose between remote, was associated with lower rates of employee burnout.

1 Maslach C, Leiter MP. Understanding the burnout experience: recent research and its implications for psychiatry.
World Psychiatry. 2016 Jun;15(2):103-11. doi: 10.1002/wps.20311. PMID: 27265691; PMCID: PMC4911781.

Accelerate State of DevOps 2022 How do you improve? 39

 How employees perceive
their organization
Flexible work models
are associated with Lastly, we investigated perceived leadership buy-in

decreases in employee by asking people to predict how much support

they expected their team to receive over the next
burnout and increases in
12 months. Results showed that higher perceived
employees’ likelihood of leadership buy-in (for example more financial support,
recommending their team more allocation of resources, sponsorships) was

as a good place to work. associated with high performing organizations.

We also asked people to predict the likelihood that

a security breach or a complete outage would occur
This year we replicated this finding and expanded our over the next 12 months. Results showed that people
understanding of burnout by showing that stable teams working at high performing organizations were
and flexible work arrangements are also associated with less likely to expect a major error to occur -
less burnout. In addition, this year we measured team Net they had a more positive outlook on their
Promoter Score (NPS), which indicates whether people organization. Similarly, we found that
would recommend their team to a friend or colleague. people working in organizations with
We found that team NPS was associated with perceived high software and delivery
leadership buy-in. And mirroring the burnout findings, performance were less likely to
we found that a generative culture, a stable team, and feel that their current practices
a flexible work arrangement are associated with people needed to be changed to
being more likely to recommend their team to others. improve business outcomes.

Accelerate State of DevOps 2022 How do you improve? 40

A few words on representation While we continue to emphasize the importance
of culture, we acknowledge that changing or even
Our findings showed that employees from improving an organization’s culture is no easy task.
underrepresented groups were more likely to report We recommend that organizations seek to first
spending more time on unplanned work regardless understand their employees’ experiences and
of whether they belong to high or low performing subsequently invest resources in addressing
organizations. We also found that employees from culture-related issues as part of DevOps
underrepresented groups reported higher levels of transformation efforts.
burnout compared to employees who do not belong
to underrepresented groups. Team leads should be
aware of the risk for workload imbalance and ensure
work is allocated fairly among team members.

Taken together, these findings underscore the importance

of creating a healthy and inclusive environment for
employees both at the organizational and team level.

Accelerate State of DevOps 2022 How do you improve? 41

04
Why supply chain John Speed Meyers Todd Kulesza

security matters

In November 2020, relatively few technology changed all of that. When attackers can silently
professionals suspected that a software supply penetrate thousands of major companies and
chain security crisis was brewing. The Open Source government networks on the back of trojan
Security Foundation, a successor to past efforts, had software updates, the times change fast.
been founded to focus on open source software
security, and while there were a few bright spots towards Today, the topic of software supply chain security
addressing this problem, the topic was not on the front has become widely recognized as urgent — if not
page of major newspapers. A major attack, SolarWinds, over family dinner, certainly in the boardroom.

Accelerate State of DevOps 2022 Supply chain security 42

 01
There are numerous initiatives, and large parts of the Adoption has already begun: Software
software industry have committed to reforming their supply chain security practices embodied
own software supply chain security practices and in SLSA and SSDF already see modest
improving the security of the open source commons. adoption, but there is ample room for more.

02
In this chapter, we focus on two initiatives: Healthier cultures have a head start:
Supply Chain Levels for Software Artifacts (SLSA, Organizational culture is a primary
pronounced “salsa”), and the NIST Secure Software driver of software development security
Development Framework (SSDF). Each offers a range practices, with higher trust, “blameless” cultures are
of defensive measures to make sure that attackers more likely to establish SLSA and SSDF practices
can’t tamper with software production processes than lower-trust organizational cultures.
and sail past network defenders via malicious

03
software updates. There’s a key integration point:
Adoption of the technical aspects of
But how widely used are the software supply chain software supply chain security appears
security practices associated with SLSA and SSDF? to hinge on the use of CI/CD, which often provides
Which practices need help driving adoption, and the integration platform for many supply chain
which are already in widespread use? To date, there security practices.
were no systematic answers to these questions.

04
By surveying hundreds of software professionals It provides unexpected benefits:
about their use of practices associated with supply Besides a reduction in security risks,
chain security, we provide some early answers. better security practices carry additional
In particular, four main findings stand out: advantages, such as reduced burnout.

Accelerate State of DevOps 2022 Supply chain security 43

What companies do today to
avoid security vulnerabilities
To better understand what organizations are doing The SLSA framework, at v0.1 at the time of
today to identify and resolve security vulnerabilities writing, describes a series of software supply chain
in the software they build, we added over two dozen integrity practices associated with SLSA “levels,”
questions to this year’s survey. These questions with higher levels corresponding to higher levels of
broadly fell into two categories: software supply chain security assurance. We asked
respondents about many of the particular practices
• Questions that asked respondents to agree associated with SLSA. In particular, the survey asked,
or disagree with a statement (for example, “How established are the following practices for
“My organization has an effective method for the primary application or service you work on?”
addressing security threats” or “I have access to Table 1 lists the wording of the SLSA-related
the necessary tooling to execute security tests”). practices covered in the survey.

• Questions that asked respondents how The SSDF, currently at v1.1, focuses on practices
established or not established security practices to help organizations ship software with fewer
are at their organization (for example, “Builds vulnerabilities, and to minimize the potential
are defined through build scripts and nothing impact of remaining vulnerabilities. Instead of
else” or “Production releases are built by using a SLSA’s “levels,” SSDF practices are grouped into
centralized CI/CD system, never on a developer’s four categories: preparing the organization,
workstation”). We used the “established/not protecting the software being developed,
established” scale because early tests found that producing well-secured software, and responding
respondents were biased towards agreeing with effectively to discovered vulnerabilities. The survey
some security-related questions. The questions asked respondents how much they agree (or
about SSDF, however, were more naturally phrased disagree) with statements describing several SSDF
with the agree/disagree response scale. practices; these questions are summarized in Table 2.

Accelerate State of DevOps 2022 Supply chain security 44

 SLSA Practice Survey Definition

Production releases are built by using a centralized CI/CD system,

Centralized CI/CD
never on a developer’s workstation
History Preserved Revisions and their change history are preserved indefinitely
Build Script Builds are fully defined through the build script and nothing else
Isolated Builds are isolated; they cannot interfere with concurrent or subsequent builds
Build definitions and configurations are defined in text files stored in a version
Build Text Files
control system
Build metadata (e.g. dependencies, build process, build environment)
Parameters Metadata
about an artifact includes all build parameters
Dependencies Meta- Build metadata (e.g. dependencies, build process, build environment)
data about an artifact documents all dependencies
Metadata Build metadata (e.g. dependencies, build process, build environment) is either generated
Generated by the build service, or by a build-metadata generator that reads the build service
When running builds, build steps are prevented from loading any build inputs
Prevent Inputs
dynamically (i.e. all required sources and dependencies are fetched upfront)
Build metadata (e.g. dependencies, build process, build environment)
Users No Edit
about an artifact cannot be edited by build services users
Build metadata (e.g. dependencies, build process, build environment)
Metadata Available is available to the people who need it (e.g. via a central database), and is
delivered in a format that they accept
Every change in a revision’s history must be individually reviewed and
Two Person Review
approved by two trusted persons prior to submission
The build metadata (e.g. dependencies, build process, build environment)
Metadata Signed
about how an artifact was produced is signed by my build service

Table 1. SLSA-Related Survey Questions

Note: Respondents had five possible responses to each question: not established at all,
slightly established, moderately established, very established, and completely established.

Accelerate State of DevOps 2022 Supply chain security 45

 SSDF Practice Survey Definition

Security reviews A security review is conducted for all major features on the applications I work on
Continuous code We continuously engage in automated or manual code analysis and testing for all supported re-
analysis / testing leases, in order to identify or confirm the presence of previously undetected vulnerabilities
Early security testing Security tests are run early in the software development process, either by me or by another team
Effectively address
My organization has an effective method for addressing security threats
threats
Integrated with de-
Security roles are integrated into our software development team
velopment team
Documents require- Our org has processes in place to identify and document all security requirements for the software
ments our organization develops or acquires (including third-party and open source)
Regularly reviews
Security requirements are reviewed at regular intervals (annually, or sooner if required)
requirements
Metadata Build metadata (e.g. dependencies, build process, build environment) is either generated by the
Generated build service, or by a build-metadata generator that reads the build service
Integrated with de-
At my company, the software-security protocol is seamlessly built into our development process
velopment cycle
Standard process
At my company, we have a standardized process for addressing software security across projects
across projects
Monitor security We have ongoing efforts to monitor information coming from public sources regarding possible
reports vulnerabilities in the software we use and its third-party components
Have necessary tools I have access to the necessary tooling to execute security tests

Table 2. SSDF-Related Survey Questions

Note: Respondents had seven possible responses to each question: strongly disagree, disagree,
somewhat disagree, neither agree nor disagree, somewhat agree, agree, and strongly agree.

Accelerate State of DevOps 2022 Supply chain security 46

Overall, we found relatively broad adoption of an organization was a predictor of the maturity of its
emerging industry practices, though with plenty security practices. Thus, we believe that without this
of room for these to become more established. critical piece of infrastructure, it is very difficult for an
For example, while 66% of respondents agreed organization to ensure a consistent set of scanners,
with the statement, “At my company, the software- linters, and tests are run against the software artifacts
security protocol is seamlessly built into our they create.
development process,” only 18% strongly agreed.
Figures 1 and 2 summarize participant responses In addition to CI/CD, other commonly established
to our security questions. practices included indefinite preservation of code
history (60%), builds that are solely defined via scripts
We found that using continuous integration/continuous (58%), keeping builds isolated from one another (57%),
delivery (CI/CD) systems for production releases was and storing build definitions in source control (56%).
the most commonly established practice, with 63% On the lower end, the two least commonly established
of respondents saying this was “very” or “completely” practices were requiring two or more reviewers to
established. That CI/CD tops this list aligns with prior approve each code change (45%) and signing build
security research, which found that most organizations metadata to prevent/detect tampering (41%).
implement application-level security scanning as part
of their CI/CD process. In addition, a separate set of
security-focused qualitative interviews suggested that
most developers were unable to run such tooling locally
during development. The SLSA framework similarly
builds upon CI systems as a central integration point for
supply chain security. Our model analysis, described
in the next section, found that the presence of CI in

Accelerate State of DevOps 2022 Supply chain security 47

Alongside questions about established practices, we While it’s encouraging that this had the lowest level
also asked participants to agree or disagree with a of respondent agreement, the fact that a majority
set of statements about security at their organization. of respondents said current security processes
The statement with the highest level of agreement slow down development suggests a great deal
was, “We have ongoing efforts to monitor information of room for improvement in security tooling and
coming from public sources regarding possible approaches. Our model analysis also supports
vulnerabilities in the software we use and its third- this interpretation, showing mixed (though
party components,” with 81% of respondents agreeing. minor) effects on software delivery performance.
On the opposite side, the statement with the lowest
proportion of agreement regarded negative impacts
of security practices on software development – 56%
of respondents agreed that, “The software security
processes that exist at my company slow down the
development process for the applications I work on.”

Accelerate State of DevOps 2022 Supply chain security 48

 Completely or Moderately Not or slightly
very established established established

Centralized CICD

History preserved

Build script

Isolated

Build text fields

Parameters metadata

Dependencies metadata

Metadata generated

Prevents inputs

Users no edit

Metadata available

Two person review

Metadata signed

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percentage of respondents

Figure 1. Establishment of SLSA practices

Survey responses about the establishment of SLSA practices. A majority of respondents indicated some
establishment of all of these practices, but relatively few said they were “completely” established yet.

Accelerate State of DevOps 2022 Supply chain security 49

 Agree Neither agree nor disagree Disagree

Security reviews

Continuous code analysis/ testing

Early security testing

Effectively address threats

Effectively identify threats

Integrated with development

Documents requirements

Regularly review requirements

integrated with development cycle

Standard process across projects

Monitor security reports

Have necessary tools

0% 10% 20% 30% 40% 50% 60% 70% 80% 90% 100%
Percentage of respondents

Figure 2. Establishment of SSDF practices

Survey responses about the establishment of SSDF practices. Similar to SLSA, a majority
of respondents agreed that their organization followed all of these practices.

Accelerate State of DevOps 2022 Supply chain security 50

What helps companies follow
good security practices?
Application security is just one aspect of software Our survey data suggest that there are several
development, and thus one of many competing factors which make it easier for developers to,
demands on developers’ time and attention. High- “do the secure thing.”
friction approaches to security can be frustrating for
developers and ineffective overall, as people try The biggest factor we found was not technical at all, but
to avoid the friction points. For example, a set of rather cultural: organizations closest to the “generative”
research interviews with professional software Westrum culture group were significantly more likely
engineers found that their touchpoints with security to say they had broadly established security practices,
teams were limited to either the start or end of a as defined by the SLSA framework1. Aspects of generative
project, and the teams could be difficult to engage cultures include being highly cooperative, sharing risks and
with. In the words of one participant, “We have an responsibilities, and learning from past mistakes. We
application security team, but I have never had my hypothesize these traits manifest in healthier security
code reviewed by them… I am like most engineers, practices in numerous ways, such as encouraging
I avoid them usually.” software engineers to be more proactive about supply
chain security, rewarding people for their efforts around
One approach to improving software security is to security regardless of their job role, or reducing perceived
reduce barriers to following security practices. The risks of reporting potential security issues.
developers we spoke with wanted to do the right thing,
and often discussed frustration that shipping features Technologically, three of the most important factors
or fixes consistently took priority over potential security driving security relate to infrastructure. Intuitively this
issues. For example, one respondent to a separate makes sense: if your infrastructure makes tasks like
security-related survey described their biggest vulnerability scanning or manual code reviews easier to
security challenge as, “making it a priority conduct, then it becomes more likely your engineers will
in the first place. It’s not sexy, it doesn’t sell more use them. Specifically, we found that having systems
product, [and] it’s not a problem until it becomes one.” for source control, continuous integration, and

1 Interestingly, these same respondents were not more likely to agree with the NIST SSDF questions. While SLSA and SSDF discuss different
aspects of application development security, we expected to find overlap between these sets of questions. As mentioned earlier, it’s possible
that the response scale for SSDF was biased towards “agreement” responses, which would explain this difference.

Accelerate State of DevOps 2022 Supply chain security 51

continuous delivery were all linked with also having security tools locally would help them work faster
more firmly established SLSA practices. A key part of and more efficiently.
this is likely when security issues get developer attention,
which a separate survey found was primarily during CI. The cultural and technological factors discussed above
Typically CI directly precedes code reviews, and is when were the biggest drivers of security, but not the only
vulnerability scanners and other code analysis tools are ones. Other notable factors included:
run, as it guarantees that all code commits are subject to • Flexibility in work arrangements (for example, does
the same security requirements. The lack of a centralized the organization support working from home?)
build system makes such consistent scanning far more • Cloud use (either public or private)
challenging, and the lack of source control in turn makes • Working on a “cloud-native” application or service
it challenging to have a centralized build system in • Feeling that the business values and
the first place. invests in your team
• Low turnover on team
Security scanning as part of CI/CD, however, may not • Organization size, with larger organizations
be early enough for software engineers. In a set of reporting higher security scores
security-related interviews with application developers,
they consistently told us security scanning on their These factors, however, mostly seem to correlate with
development workstation would help to save time either the generative Westrum culture (for example,
and effort. Two situations were commonly cited: flexible work arrangements, feeling valued by your
1) wanting to know in advance if they were building organization, or having low team turnover), or with CI/
upon a dependency with known vulnerabilities, so CD usage (for example, working on a cloud-native
they could re-evaluate using that dependency before application, or working at a large organization). This data
building on top of it, and 2) avoiding long CI wait times, leads us to believe organizational culture and modern
sometimes measured in hours, just to confirm whether development processes (such as continuous integration)
their current changes resolved a security issue. In are the biggest drivers of an organization’s application
both cases, software engineers said that while a CI development security, and the best place to start for
“backstop” was necessary, the ability to run the same organizations looking to increase their security posture.

Accelerate State of DevOps 2022 Supply chain security 52

What outcomes do good
security practices lead to?

As organizations improve their security practices around can eliminate security threats, but our evidence suggests
software development, what benefits might they expect they do reduce an organization’s security risk.
to see? Our survey data confirms that participants
anticipate a lower chance of security breaches, Security practices can also positively impact performance-
service outages, and performance degradation as based outcomes, but there is a twist: CI plays a pivotal
companies increase establishment of supply chain role. When CI isn’t implemented, security practices show
security practices. Similarly, we conducted separate no effect on software delivery performance. But when
research in the first half of 2022, finding that running CI is implemented, security practices have a strong
tools like vulnerability scanners during CI significantly positive effect on software delivery performance. This
increased the probability of identifying vulnerabilities essentially means that CI is necessary for security practices
in software dependencies: respondents who used such to positively impact software delivery performance.
tools were nearly twice as likely to report identifying Further, security practices generally have a positive effect
a security vulnerability in their own code or in one of on organizational performance, and when CI is firmly
its dependencies. In short: SLSA and SSDF practices established, this effect is amplified. The graph below
appear to work as intended. We don’t claim that they attempts to visualize this effect.

Above average CI 0.45% 0.66%

Below average CI 0.33% 0.46%

Below average security practices Above average security practices

Security Practices (SLSA-related)

proportion with above average organizational performance

0.4 0.5 0.6

Accelerate State of DevOps 2022 Supply chain security 53

Along with a reduction in perceived security risks,
respondents also reported less burnout among team
members and an increased willingness to recommend Tools and processes that
their organization as a great place to work. Both of help them incorporate
these findings speak to the “yes, and’’ nature of security secure practices into their
for software engineers: it’s one more task on their
existing development
already crowded plates. Tools and processes that help
them incorporate secure practices into their existing
workflow, as opposed to
development workflow, as opposed to unplanned unplanned work or “fire
work or “fire drills” when a threat is discovered, drills” when a threat is
provide a mechanism for reducing security risks and
discovered, provide a
increasing developer joy.
mechanism for reducing
Taken together, our evidence suggests that healthy, security risks and
high-performing teams also tend to have good increasing developer joy.
security practices broadly established (though,
as noted earlier, there continues to be room for
improvement). Following approaches such as the
SLSA or SSDF frameworks might not single-handedly
improve all the culture and performance metrics that
we measure, but it’s clear that security need not come
at the expense of other development priorities.

Accelerate State of DevOps 2022 Supply chain security 54

05
Surprises Derek DeBellis

Although each year’s report focuses on the might be responsible for overseeing or directing the
corresponding year’s survey responses, we do our implementation of these practices. Another possibility
best to understand these findings in the context of is that something has shifted in the industry or the
the entire catalog of State of DevOps Reports and world; what worked yesterday isn’t guaranteed to work
adjacent research (for example, research on burnout tomorrow. Macroeconomic forces, and another year
and culture). Testing the reliability of these effects largely in the shadow of the COVID-19 pandemic, for
through replication efforts is a core tenet of the example, may have changed the physics of DevOps.
research program. This gives us an opportunity to Lastly, subtle changes to what is included in our
adjust our beliefs to fit the data and understand model may have changed the relationships
evolving or emerging trends. between variables.1

This year we ran into a few surprises. There are a

myriad of potential reasons for this. For one, the sample
shifted this year to include more people earlier in their
careers than in previous reports. One interpretation
is that we’re hearing more from the people who are
directly responsible for implementing the technical
practices and capabilities, as opposed to people who

1 Judea Pearl’s “Book of Why” and Robert McElreath’s

“Statistical Rethinking” present us with incredible
examples of how what you do and don’t include in your
statistical models can impact the model’s output.

Accelerate State of DevOps 2022 Surprises 55

 01
An unexpected or unhypothesized finding puts We have consistently observed that trunk-
researchers in a tough spot when it’s time to write the based development practices have a positive
report. Given the risk that the finding is spurious or, at the impact on software delivery performance.
very least, has yet to establish (or even contradicts) the In fact, this has been observed in every year of
empirical evidence of multiple studies, the responsible the study since 2014. Trunk-based development
move is to do follow-up research to attempt to replicate capabilities were behaving out of character this year.
the results and understand their cause.2 By focusing on the For one, trunk capabilities had a negative impact on
surprises, a researcher also runs the risk of deemphasizing software delivery performance. The opposite was
how many effects have reliably emerged across years true in previous research reports. Given how aberrant
of research. We statistically explore over one hundred this finding is, we are eager to see if it is replicated in
pathways for each State of DevOps report. In doing so, upcoming research and hear if the community has
we invite the risk of spurious findings simply by chance. any explanations.
We try to counteract that with yearly replication efforts.

02
We only found that software delivery
On the other hand, not reporting the finding risks performance is beneficial to organizational
creating a file drawer effect3, which effectively results performance when operational
in the expected or palatable becoming well-known, performance is also high, and many respondents
and the unexpected or difficult to stomach being did not have high operational performance. This
hidden away. We seek to strike a balance: we don’t contradicts previous iterations of our research
want to sensationalize nascent findings, but we also where the connection between software delivery
feel it is crucial to share them. Here are the things that performance and organizational performance was
surprised us the most, and what we think they mean: much clearer.

2 Kerr, N. L. (1998). HARKing: Hypothesizing after the results are known. Personality and social psychology review, 2(3), 196-217.
3 Rosenthal, R. (1979). The file drawer problem and tolerance for null results. Psychological bulletin, 86(3), 638.

Accelerate State of DevOps 2022 Surprises 56

03 05
Documentation practices negatively Reliability engineering practices had a
impacted software delivery performance. negative impact on software delivery
This is at odds with previous reports. One performance. One explanation is that these
hypothesis is that documentation is becoming an are not necessarily causally intertwined. This year
increasingly automated practice, especially among we noticed in a new clustering analysis (see “How do
high-performing teams. Until we collect additional you compare”) that a subset of clusters seemed to
data, we have little evidence to either support or focus on reliability while ignoring software delivery
refute this belief. performance. We believe that these are decoupled, in
the sense that you can do one without doing the other,

04
Some tech capabilities (i.e., trunk based but ultimately, to make software delivery performance
development, loosely-coupled architecture, count in terms of organizational performance,
CI, CD) seemed to predict burnout. As reliability needs to be in place.
mentioned above, many respondents in this sample

06
were notably earlier in their careers than participants We added SLSA-related practices to
in previous years’ samples. Hence, we might have been understand whether teams are adopting
talking to people responsible for implementing the these approaches to maintaining a secure
capability as opposed to those responsible for creating software supply chain. While we expected there to be
or overseeing the initiative. The implementation some association between implementation of security
process may be notably more challenging than its practices and performance (e.g., use of technical
oversight. We want to do further research to better capabilities, better software delivery performance, and
understand this finding. better organizational performance), we were surprised to
see that security practices were actually the mechanism
through which technical capabilities impacted software
delivery performance and organizational performance.

Accelerate State of DevOps 2022 Surprises 57

The inclusion of SLSA-related practices seems to
account for much of the effect of continuous integration,
version control and continuous delivery on both software Join the DORA Community
delivery performance and organizational performance. (http://dora.community) to
Put differently, there is a causal chain that is being
continue the discussion about
detected in the data where many technical capabilities
have a positive impact on SLSA-related practices and
these surprises and other
through this positive impact on SLSA-related practices findings in this year’s report!
have a positive impact on both software delivery
performance and organizational performance.
We used mediation analyses to detect this result.4 5
This is pushing us to explore whether our measure of
SLSA-related practices is tracking other features of the
team (e.g., general performance) and in what way security
practices lead to better software delivery performance
and organizational performance.

We look forward to studying these effects again

next year, to see whether we can reproduce and
explain these new patterns, or whether we should
lean toward dismissing them as outliers (that we
should also try to explain). As always, we welcome
feedback from the community.

4 Jung, Sun Jae. “Introduction to Mediation Analysis and Examples of Its Application to Real-world Data.” Journal of preventive medicine and public
health = Yebang Uihakhoe chi vol. 54,3 (2021): 166-172. doi:10.3961/jpmph.21.069
5 Carrión, Gabriel Cepeda, Christian Nitzl, and José L. Roldán. “Mediation analyses in partial least squares structural equation modeling: Guidelines
and empirical examples.” Partial least squares path modeling. Springer, Cham, 2017. 173-195.

Accelerate State of DevOps 2022 Surprises 58

06
Demographics Derek DeBellis

and Firmographics

Similar to previous years, we collected demographic

information from each survey respondent. Categories
Thank you for your include gender, disability, and underrepresented groups.
contributions to our
research and our industry! This year we saw representation that was consistent with
previous reports across firmographic categories including
company size, industry, and region. Again, over 60% of
respondents work as engineers or managers and a third
work in the technology industry. Additionally, we see
Who took the survey? industry representation from financial services, retail,
and industrial/manufacturing companies.
With eight years of research and more than 33,000
survey responses from industry professionals, the
State of DevOps Report showcases the software
development and DevOps practices that make teams
and organizations most successful. This year, over
1350 working professionals from a variety of industries
around the globe shared their experiences to help
grow our understanding of the factors that drive higher
performance. Thank you for your contributions to our
research and our industry! In summary, representation
across demographic and firmographic measures has
remained remarkably consistent.

Accelerate State of DevOps 2022 Who took the survey? 59

 Gender
Demographics 18%
Female

Gender 6%
Prefer not
to respond
Relative to 2021, this year’s sample had a higher
proportion of female respondents (18% vs. 12%).
The proportion of male respondents (76%) was
lower than 2021 (83%). Respondents stated that 1%
Non-binary
women make up 25% of their teams, which is 76%
identical to 2021 (25%). Male

Percent women: 25% Median

Disability

Disability 11%
Yes
We identified disability along six dimensions that
follow guidance from the Washington Group 7%
Short Set. This is the fourth year we have asked Prefer
not to say
about disability. The percentage of people
with disabilities was consistent with our 2021
82%
report at 11%. No

Underrepresented
Underrepresented
19%
Yes
Identifying as a member of an underrepresented
group can refer to race, gender, or another
10%
characteristic. This is the fifth year we have asked
Prefer
about underrepresentation. The percentage not to say
of people who identify as underrepresented
has increased slightly from 17% in 2021 to 71%
No
19% in 2022.

Accelerate State of DevOps 2022 Who took the survey? 60

Years of experience

Notably more respondents this year had five years

or less of experience (35%) than in 2021 (14%).
Perhaps unsurprisingly then, the proportion of
respondents with more than 16 years of experience
(13%) was a fraction of 2021 (41%).

This shift may explain some patterns that emerged

in the data, and we believe is important to keep this in
mind when interpreting the results, especially when
comparing to last year.

2021 2022
41%

33%

27%
25%
20%
18%
13%
8% 11%
3%

0-2 3-5 6-10 11-15 >16

Years of Experience

Accelerate State of DevOps 2022 Who took the survey? 61

Firmographics

Role

85% of respondents consist of

individuals who either work on
development or engineering teams
(26%), work on DevOps or SRE teams
(23%), work on IT ops or infrastructure
teams (19%), or are managers (17%).
The proportion of respondents who
work on IT ops or infrastructure teams
(19%) more than doubled last year’s
proportion (9%). C-level executives
(9% in 2021 to 4%), and Professional
Services (4% in 2021 to 1%) are two
of the more pronounced decreases
relative to last year.

Industry

As in previous State of DevOps

reports, we see that most
respondents work in the technology
industry, followed by financial
services, other, and retail.

Accelerate State of DevOps 2022 Who took the survey? 62

Region

This year we asked respondents to select the country

they were from instead of the region. Region, which was
frequently represented by a continent, seemed a bit too
coarse to understand the makeup of our respondents.
We received responses from participants in over 70
countries; 89% of respondents came from 22 countries.

Accelerate State of DevOps 2022 Who took the survey? 63

Number of employees are at organizations with 2,000–4,999 employees. We
also saw a fair representation of respondents (13%) from
Consistent with previous State of DevOps surveys, organizations with 500–1,999 employees , 15% with 100–
respondents come from organizations of a variety of 499 employees, and finally 15% with 20–99 employees .
sizes. 22% of respondents are at companies with more This year, we also allowed respondents to select “I don’t
than 10,000 employees and 7% are at companies with know” about their organization’s size; 15% of respondents
5,000–9,999 employees. Another 15% of respondents either reported not knowing or skipped the question.

Accelerate State of DevOps 2022 Who took the survey? 64

Team size

This year we had participants indicate the approximate

number of people on their team. 25% of respondents
worked on teams with 5 people or fewer. 50% of
respondents worked on teams with 8 people or fewer.
75% of respondents worked on teams with 12 people
or fewer.

Accelerate State of DevOps 2022 Who took the survey? 65

Deployment target target was containers. This year was no different, although
at a lower proportion (54%) than last year (64%).
2021 was the first year we decided to look at where
respondents deployed the primary service or application We also added more options in the hope of giving
they work on. To our surprise, the number one deployment respondents more ways to reflect where they deploy.

Accelerate State of DevOps 2022 Who took the survey? 66

07
Final thoughts Derek DeBellis

Each year that we produce this report, we strive to effects can take place. For example, software delivery
provide a rigorous account of how practices and performance only seems to have a positive impact
capabilities lead to business-critical outcomes such on organizational performance when operational
as organizational performance. We evaluate the performance (reliability) is high, which leads to
replicability of many effects in previous reports, the conclusion that you need both to thrive as an
and extend the scope of our work to account for organization. There were also a few surprises, which
emerging priorities in the DevOps space. This year we highlighted in a dedicated section.
we shaped our survey and analyses to do a deep
dive on security practices and altered our statistical We thank everyone who contributed to this year’s
modeling approach to explore the conditionality or survey. We hope our research helps you and your
dependencies of certain effects. We also explored organization build better teams and better software —
new ways to describe the landscape of software while also maintaining work-life balance.
delivery and operational performance.

In many ways, the narrative that materialized this year

is an echo of previous years: technical capabilities
build upon each other to create better performance;
there are many benefits inherent in the use of cloud;
workplace culture and flexibility lead to better
organizational performance; and employee
burnout prevents organizations from reaching
their goals. The analysis of interactions that
we explicitly added to the model helped us
understand the conditions under which certain

Accelerate State of DevOps 2022 Final thoughts 67

08
Acknowledgements

A large family of passionate contributors made this

year’s report possible. Survey question design, analysis,
writing, editing, and report design are just a few of the
ways that our colleagues helped to realize this large
effort. The authors would like to thank all of these
people for their input and guidance on the report this
year. All acknowledgements are listed alphabetically.

Scott Aucoin Eric Maxwell

Alex Barrett John Speed Meyers
James Brookbank Steve McGhee
Kim Castillo Jacinda Mein
Lolly Chessie Alison Milligan
Jenna Dailey Pablo Pérez Villanueva
Derek DeBellis Claire Peters
Rob Edwards Connor Poske
Dave Farley Dave Stanke
Christopher Grant Dustin Smith
Mahshad Haeri Seth Vargo
Nathen Harvey Daniella Villalba
Damith Karunaratne Brenna Washington
Todd Kulesza Kaiyuan “Frank” Xu
Amanda Lewis Nicola Yap
Ian Lewis

Accelerate State of DevOps 2022 Acknowledgements 68

09
Authors

Claire Peters

Claire Peters is a User Experience Researcher at Google. Her research comprises

various aspects and expressions of DORA in applied settings. She studies Google’s
Cloud Application Modernization Program (CAMP), DORA-driven customer
engagements, and Four-Keys-related tooling, with the goal of helping teams and
individuals more effectively apply DORA principles in their day-to-day work. Claire
is also a member of DORA’s core research team, and constructs the annual DORA
survey and the State of DevOps report. She holds an MA in Applied Cultural Analysis
from the University of Copenhagen.

Dave Farley

Dave Farley, is the managing director and founder of Continuous Delivery Ltd and
Creator of the Continuous Delivery YouTube Channel. Dave is co-author of the
best-selling Continuous Delivery book. His also the best selling author of Modern
Software Engineering: Doing What Works to Build Better Software Faster. He is
co-author of the Reactive Manifesto and a winner of the Duke Award for the open
source LMAX Disruptor project. Dave is a pioneer of Continuous Delivery, thought-
leader and expert practitioner in CD, DevOps, TDD and software design, and has
a long track record in creating high-performance teams, shaping organisations
for success, and creating outstanding software. Find more of Dave on his Twitter,
YouTube, blog, and website.

Accelerate State of DevOps 2022 Authors 69

 Daniella Villalba

Daniella Villalba is a user experience researcher dedicated to the DORA

project. She focuses on understanding the factors that make developers
happy and productive. Before Google, Daniella studied the benefits of
meditation training, the psycho-social factors that affect the experiences
of college students, eyewitness memory, and false confessions. She received
her PhD in Experimental Psychology from Florida International University.

Dave Stanke
Dave Stanke is a Developer Relations Engineer at Google, where he advises
customers on best practices for adopting DevOps and SRE. Throughout his
career, he has worn all the hats, including startup CTO, product manager,
customer support, software developer, sysadmin, and graphic designer.
He holds an MS in Technology Management from Columbia University.

Derek DeBellis

Derek DeBellis is a Quantitative User Experience Researcher at Google.

At Google, Derek focuses on survey research, logs analysis, and figuring out
ways to measure concepts central to product development. Derek has recently
published on Human-AI interaction, the impact of Covid-19’s onset on smoking
cessation, designing for NLP errors and the role of UX in privacy discussions.

Accelerate State of DevOps 2022 Authors 70

 Eric Maxwell

Eric Maxwell leads Google’s DevOps Digital Transformation practice where he

advises the world’s best companies on how to be even better – a little bit at a
time, continuously. Eric spent the first half of his career as an engineer, in the
trenches, automating all the things and building empathy for other practitioners.
Eric co-created Google’s Cloud Application Modernization Program (CAMP),
is a member of the DORA Core Team, and author of the DevOps Enterprise
Guidebook. Before Google, Eric spent time whipping up awesome with other
punny folks at Chef Software.

John Speed Meyers

John Speed Meyers is a security data scientist at Chainguard, a software

supply chain security startup. John’s research projects have included topics
such as software supply chain security, open source software security, and the
world’s response to growing Chinese military power. Previously, John worked
at In-Q-Tel, the RAND Corporation, and the Center for Strategic and Budgetary
Assessments. John has a PhD in policy analysis from the Pardee RAND Graduate
School, a masters in public affairs (MPA) from Princeton’s School of Public and
International Affairs, and a BA in international relations from Tufts University.

Kaiyuan “Frank” Xu

Kaiyuan “Frank” Xu is a Quantitative User Experience Researcher at Google. He

analyzes log and survey data to understand usage patterns and user feedback
for Google Cloud products, improving product excellence for developers.
Before Google, Kaiyuan conducted years of qualitative and quantitative user
research at Microsoft for Azure and Power Platform products. He received his
MS in Human Centered Design and Engineering from University of Washington.

Accelerate State of DevOps 2022 Authors 71

 Nathen Harvey

Nathen Harvey is a Developer Relations Engineer at Google who has built

a career on helping teams realize their potential while aligning technology
to business outcomes. Nathen has had the privilege of working with some
of the best teams and open source communities, helping them apply the
principles and practices of DevOps and SRE. Nathen co-edited and
contributed to 97 Things Every Cloud Engineer Should Know, O’Reilly 2020.

Todd Kulesza
Todd Kulesza is a User Experience Researcher at Google, where he studies
how software engineers work today, and how they might be able to work better
tomorrow. He holds a PhD in Computer Science from Oregon State University.

Accelerate State of DevOps 2022 Authors 72

10
Methodology

Research design Calculating the differences between

This study employs a cross-sectional, theory-based low performers and high performers
design known as inferential predictive, one of the In the “How do you compare” section we compare
most common types of designs conducted in business low performers and high performers on the four
and technology research today. Inferential predictive metrics of delivery performance. The method is a
design is used when purely experimental design is not simple one. Let’s take deployment frequency as an
practical or impossible. example. The high cluster deploys on demand (i.e.,
multiple times per day). If they perform an average
Target population and sampling of four deployments per day, that ends up being
The target population for this survey was practitioners 1460 deployments a year (4 * 365). The low
and leaders working in, or closely with, technology and performers, by contrast, deploy between once
transformations, especially those familiar with DevOps. We every month, to once every six months, for a mean
promoted the survey via email lists, online promotions, an deployment frequency of once every 3.5 months,
online panel, social media, and by asking people to share and an average deployment frequency of about
the survey with their networks (that is, snowball sampling). 3.4 deployments a year (12/3.5). We take the ratio
(1,460 deployments high / 3.4 deployments low)
Creating latent constructs and get 417x. This approach is generalized for the
We formulated our hypotheses and constructs using other development performance metrics.
previously validated constructs wherever possible. We
developed new constructs based on theory, definitions,
and expert input. We then took additional steps to
clarify intent to ensure that data collected from the
survey had a high likelihood of being reliable and valid.1

1 Churchill Jr, G. A. “A paradigm for developing better measures of marketing constructs,” Journal of Marketing Research 16:1, (1979), 64–73.

Accelerate State of DevOps 2022 Methodology 73

Statistical analysis methods

Cluster analysis frequency and lead time), operational performance

For both of the clustering solutions portrayed in the (reliability) and stability (a composite of time to restore
“How do you compare” section, we used hierarchical service and change failure rate). We also explored
clustering with a version of Ward’s agglomerative different clustering algorithms to see how sensitive our
method2 to evaluate how well varying cluster solutions results were to our approach. Though there isn’t an
fit the data. established way to quantify that sensitivity (that we
know of), the clusters that emerged tended to have
For the first clustering results we presented, we similar characteristics.
looked for clusters of responses across deployment
frequency, lead time, time to restore a service, and Measurement model
change failure rate. This year we found three clusters Before conducting our analysis, we identified
after evaluating 14 different hierarchical clustering constructs using exploratory factor analysis with
solutions using 30 different indices for determining principal component analysis using varimax rotation.4
the number of clusters.3 We confirmed statistical tests for convergent and
divergent validity and reliability using average variance
The second cluster analysis we presented was extracted (AVE), correlation, Cronbach’s alpha5, rhoA6A ,
methodologically identical to the first, but was deployed heterotrait-monotrait ratio5 7, and composite reliability.
over different dimensions in the data. We wanted to
look for common response patterns (i.e., clusters)
across throughput (a composite of deployment

2 Murtagh, Fionn, and Pierre Legendre. “Ward’s hierarchical agglomerative clustering method: which algorithms implement Ward’s criterion?.”
Journal of classification 31.3 (2014): 274-295.
3 Charrad M., Ghazzali N., Boiteau V., Niknafs A. (2014). “NbClust: An R Package for Determining the Relevant Number of Clusters in a Data Set.”,
“Journal of Statistical Software, 61(6), 1-36.”, “URL http://www.jstatsoft.org/v61/i06/”
4 Straub, D., Boudreau, M. C., & Gefen, D. (2004). Validation guidelines for IS positivist research. Communications of the Association for Informa-
tion systems, 13(1), 24.
5 Nunnally, J.C. Psychometric Theory. New York: McGraw-Hill, 1978
6 Hair Jr, Joseph F., et al. “Partial least squares structural equation modeling (PLS-SEM) using R: A workbook.” (2021): 197.
7 Brown, Timothy A., and Michael T. Moore. “Confirmatory factor analysis.” Handbook of structural equation modeling 361 (2012): 379.

Accelerate State of DevOps 2022 Methodology 74

Structural equation modeling
We tested the structural equation models (SEM)
using Partial Least Squares (PLS) analysis8, which
is a correlation-based structural equation modeling.

Analysis of the
second cluster model
To understand what predicts cluster membership,
we employed multinomial logistic regression.9
We used this approach because we were trying
to predict cluster membership, which, in this
case, is unordered categorical data with more
than two levels. To understand the outcomes that
cluster memberships predicted, we used a linear
regression for each outcome (burnout, unplanned
work, and organizational performance.

8 Hair Jr, J. F., Hult, G. T. M., Ringle, C. M., & Sarstedt, M. (2021). “A primer on partial least squares structural equation modeling (PLS-SEM).”
Sage publications.
9 Ripley, Brian, William Venables, and Maintainer Brian Ripley. “Package ‘nnet’.” R package version 7.3-12 (2016): 700.

Accelerate State of DevOps 2022 Methodology 75

11
Further reading

Join the DORA Community to discuss, learn, Explore the DevOps research program
and collaborate on improving software delivery https://goo.gle/devops-research
and operations performance.
http://dora.community Learn from other companies who have
implemented DORA practices by reading
Learn more about the Four Keys metrics out Google Cloud DevOps Award winner ebook
https://goo.gle/four-keys https://goo.gle/devops-awards

Find more information on DevOps capabilities. Find out about the Google Cloud Application
https://goo.gle/devops-capabilities Modernization Program or CAMP.
https://goo.gle/3daLa9s
Learn more about how you can implement
DORA practices in your organization, from Leveraging data and DORA metrics
our Enterprise Guidebook to transform tech processes
https://goo.gle/enterprise-guidebook https://goo.gle/3Doh8Km

Find resources on Site Reliability Engineering (SRE) Read the whitepaper: “The ROI of DevOps
https://sre.google Transformation: How to quantify the impact of
https://goo.gle/enterprise-roadmap-sre your modernization initiatives” by Forsgren, N.,
Humble, J., & Kim, G. (2018).
Take the DevOps Quick Check https://goo.gle/3qEClIh
https://goo.gle/devops-quickcheck

Accelerate State of DevOps 2022 Further reading 76

Read the book: Accelerate: The science behind Learn more about NTIA.gov’s Software Bill of Materials
devops: Building and scaling high performing https://www.ntia.gov/SBOM
technology organizations. IT Revolution.
https://itrevolution.com/book/accelerate Cybersecurity: Federal Response to SolarWinds
and Microsoft Exchange Incidents
Learn more about the Supply chain Levels for https://www.gao.gov/products/gao-22-104746
Secure Artifacts (SLSA) framework
https://slsa.dev Learn more about application-level security
scanning as part of CI/CD
Learn more about Secure Software https://go.dev/blog/survey2022-q2-results#security
Development Framework (NIST SSDF)
https://goo.gle/3qBXLWk Last but not least, see prior State of DevOps Reports.
All are listed at https://goo.gle/dora-sodrs:
Learn more about DevOps culture: Westrum 2014 Accelerate State of DevOps Report
organizational culture 2015 Accelerate State of DevOps Report
https://goo.gle/3xq7KBV 2016 Accelerate State of DevOps Report
2017 Accelerate State of DevOps Report
Learn more about Open Source Security Foundation 2018 Accelerate State of DevOps Report
https://openssf.org/ 2019 Accelerate State of DevOps Report
2021 Accelerate State of DevOps Report
Learn more about in-toto
https://in-toto.io/

Accelerate State of DevOps 2022 Further reading 77