Are happy developers more security conscious?

Sonotype's latest DevSecOps Community Survey highlighted a correlation between developer happiness and application security hygiene, with happy developers 3.6x less likely to neglect security when it comes to code quality.

The link between happy workers and security/safety is not a new one. In many industries, such as manufacturing and public utilities, a correlation has been shown between the two. Now we have evidence that the same association exists within the development sector.

Results from Sonatype's latest DevSecOps Community Survey highlights a link between developer happiness and application security hygiene. Survey results showed that happy developers are 3.6 times less likely to neglect security when it comes to code quality, 2.3 times more likely to have automated security tools in place, and 1.3 times more likely to follow open source security policies.


Why does happy = secure?

Why is this the case? Simply put, happy developers get the tools, training and support they need from their employers.

"This year's survey report reveals the link between happiness and security in a number of ways. First our findings showed that happy developers received more application security training than their grumpy peers," says Derek Weeks, Vice President of Sonatype.

"Second, the report points to happy developers having access to more security tooling and more collaboration with security peers. The study also points to evidence that developers are happier in mature DevOps organisations, and that higher DevOps maturity points to better security practices."

Nigel Kersten, Puppet's UK field CTO, says the psychological safety for development teams comes from having autonomy in decision-making, being empowered to automate soul-crushing work, being able to optimise the overall software delivery lifecycle they're part of, and feeling secure in taking appropriate risks in order to make progress.

"If you can focus on delivering value with your code and are confident that you have the right automated guardrails in place to ensure code security then you're going to be much happier at work," he notes.


Getting it right

According to the 2019 State of DevOps Industry Report Card, it's the technology, retail and telecom sectors that are leading the way. "This is because they empower their teams to transform by giving teams space and resources to implement best practices as the top priority over the pressure to deliver features," says Jeff Keyes, VP of Product at Plutora.

But rather than specific industries ‘getting it right', it's more about a company's willingness to invest in a culture which allows developers to thrive.

"Working in the knowledge that you have the support and trust of your employer is one of the biggest factors in keeping a team of developers happy," says Ayesha Mazumdar, a senior UX engineer at Optimizely. "The support from colleagues, managers and leadership to do your best work on a day-to-day basis means we as developers can focus on the tasks at hand. Being trusted to make your own decisions and prioritise your own workload is always appreciated because it lets developers explore options, learn new things and grow as people."


Finance - a grey area?

Unsurprisingly the banking and finance industry appears to be a sector where security is high, but is this down to developer happiness or simply the nature of the highly regulated industry? The 2019 State of DevOps Industry Report Card highlights finance as one of the sectors struggling to transform, yet Sonatype's research found that the use of specific tool types in the banking and financial sector was almost twice as much as the combined industry numbers.

"Dynamic analysis and security testing (DAST), for example, was a tool category used twice as much in this sector," says Sontatype DevSecOps advocate DJ Schleen. "Our initial thought is that regulations and compliance requirements mandate the use of this kind of coding."

Aaron Lint, Chief Scientist and VP of Arxan, believes that the link between developer happiness and security is strong at challenger banks however, because the digital experience is their credibility.

"They prioritise a modern and lean software development lifecycle process (SDLC) and the related application security practices, driven by the fact that their reputation is inexorably tied to their experience and reliability. All of this generally dictates a culture which prioritises enabled and happy developers," he says.


Who's straggling behind?

Lint goes on to note that legacy enterprises preparing or going through digital transformation could well be straggling behind when it comes to developer happiness.

"Often the biggest problem is that the individual change initiatives don't have enterprise-wide visibility and buy-in, which creates friction and in-fighting. Developers often take the brunt of that, for example being told to abort tasks, redo work and jump through hoops. This drives developer productivity and job satisfaction down."

"Change is hard, especially in businesses that have been around for a while and have unintentionally created silos around functions, making it difficult to optimise the whole software delivery lifecycle," continues Kersten.

"There really isn't a single sector that's falling behind, it tends to be more aligned with how businesses think of their future. Are they building software into the fabric of their offering? Do they want to empower technology at the heart of what they do? These tend to be the businesses who are getting ahead."


How to keep your developers happy

In order to keep your developers happy, employers need to be willing to invest in tools, training and automation projects. Collaboration between security and development teams should be encouraged and staff should be given the freedom they need to work creatively.

Sonatype found that the widest gaps between happy and grumpy developers were found in friction with management and accessible training.

"Often friction can be improved when cultures support more open communication, and collaboration. The correlation to training is tied to an employee's opportunity to learn. Where employees have greater access to learning opportunities, they feel they are growing experiences that will be helpful to their careers," says Weeks.

Rob Hedgpeth, Director of Developer Relations at MariaDB agrees that continuous education is key to staff happiness. He says it's important for companies to relay to their developers that they have a vested interest not only in their production for the company, but also in their own goals, aspirations and careers.

"Based on my own experience, that kind of culture needs to be pervasive throughout the entire organisation, not only for developers. The best way that I've seen this done is by removing obstacles from peoples' paths. Just let them do what they do best; innovate.

"An example would be the promotion of modern solutions that come standard with features like end-to-end encryption and built in, high security standards. This creates an environment that encourages good security practices while keeping developers focused on creation, rather than having them Google ‘best security practices for…'. There's no need to reinvent the wheel."