GitLab’s latest DevSecOps report shows the multifaceted challenges and opportunities in integrating artificial intelligence within software development practices.

Now in its eighth year, the report captures the perspectives of over 5,300 professionals from across the software development spectrum. It provides valuable insights into the current state of AI adoption, the speed of software delivery, and the contrasting views between executives and developers on various aspects of DevSecOps.

GitLab’s 8th annual global DevSecOps report

The 8th Annual Global DevSecOps Report from GitLab offers a look at the state of software development, focusing on the intersection of development, security, and operations.

2024’s survey, conducted in April, involved over 5,300 professionals, including developers, security experts, and executives, providing a well-rounded view of the industry’s trends and challenges.

The latest edition of GitLab’s report details several key areas of interest, including AI adoption, software delivery acceleration, risk perceptions, skill gaps, training adequacy, and supply chain security. Collecting responses from a diverse group of professionals means the report presents a balanced and detailed picture of the current DevSecOps environment.

The survey conducted in April 2024 involved over 5,300 professionals in the software development field.

Because of the wide-ranging participation the insights reflect the experiences and opinions of a broad spectrum of the industry, from C-suite executives to individual contributors working on the front lines of software development.

Executive perceptions vs. Developer realities

One of the most notable findings is that 69% of CxOs report their organizations are now shipping software at least twice as fast as they did the previous year.

Despite this impressive acceleration, only 26% of respondents have integrated AI into their workflows. Discrepancies raise important questions about the factors driving the increased pace of software delivery. It suggests that while AI has the potential to significantly boost productivity and speed, other factors—such as process improvements, better tools, or increased collaboration—may be playing a larger role in the observed acceleration.

AI adoption and risk perception

Among CxOs, 56% view AI as risky, primarily due to concerns about its impact on privacy and data security. In contrast, only 40% of individual contributors share these concerns.

There is a clear divide between executives and developers when it comes to the perceived risks of AI integration in the software development lifecycle.

Executives might be more cautious due to their broader responsibility for organizational risk, while developers, who are closer to the technology, may have more confidence in its safe and effective implementation.

Skills and training disparity

Gitlab’s report identifies a notable disparity in perceptions of AI skills within organizations. While 35% of CxOs point to a lack of appropriate AI skills as a significant obstacle, only 26% of individual contributors agree.

Differences like these suggest that executives may perceive a broader skills gap, possibly reflecting concerns about the overall readiness of their teams to adopt and leverage AI technologies effectively.

In terms of training and resources, 25% of individual contributors feel their organizations do not provide adequate support for AI, compared to just 15% of CxOs, indicating that individual contributors are more likely to experience a shortfall in AI training and resources firsthand, whereas executives might believe they are already offering sufficient support.

A perception gap can lead to underinvestment in necessary training programs and resources, further hindering AI adoption.

Software supply chain security

The report reveals significant concerns regarding software supply chain security.

An alarming 67% of individual contributors report that a quarter or more of their code comes from open source libraries. Despite this heavy reliance on open source components, only 21% of organizations use a software bill of materials (SBOM) to document the software composition.

A lack of visibility in the software supply chain poses substantial security risks, as undocumented open source components can harbor vulnerabilities that might be exploited by malicious actors.

When not using SBOMs, organizations are potentially exposed to security threats without a clear understanding of their software’s full composition and the associated risks.

Developer productivity measurement

Measuring developer productivity remains a persistent challenge for many organizations. While 99% of CxOs acknowledge that tracking productivity could benefit their business, there is a wide gap in the effectiveness of current measurement methods.

A significant 51% of CxOs admit that their existing metrics are either flawed or non-existent. This gap suggests a lack of standardized methods to accurately assess the output and efficiency of development teams.

Without precise metrics, it becomes difficult to allocate resources effectively, manage teams, and identify areas for improvement.

In many cases, traditional productivity metrics such as lines of code written or the number of commits do not capture the true value of a developer’s work.

Measures like these often overlook the complexity of tasks, the quality of the code, and the collaborative efforts required in modern development environments. As a result, organizations may fail to recognize high-performing developers and might also miss opportunities to support those who need additional training or resources.

Importance of measuring productivity

The importance of accurately measuring developer productivity cannot be overstated.

With 57% of CxOs viewing developer productivity as a key driver of growth, there is a clear recognition that effective measurement can lead to better business outcomes.

Precise productivity metrics can inform strategic decisions, optimize resource allocation, and improve team performance. Productivity metrics also help identify bottlenecks in the development process, letting organizations address issues promptly and improve overall efficiency.

Effective measurement of productivity also contributes to a more transparent and motivated work environment. Developers who understand how their contributions are assessed are more likely to be engaged and aligned with the organization’s goals.

Clear metrics can facilitate meaningful feedback and career development, fostering a culture of continuous improvement.

Issues with current measurement methods

The current methods for measuring developer productivity are often criticized for being inadequate. With 51% of CxOs acknowledging flaws in their measurement techniques, it is evident that many organizations struggle to find reliable metrics.

Reliance on superficial indicators such as lines of code or the number of completed tasks does not reflect the actual impact of a developer’s work.

This inadequacy in measurement can lead to misinformed management decisions, poor resource allocation, and unrecognized contributions. Developers may feel undervalued if their efforts are not accurately reflected in productivity metrics, leading to decreased morale and productivity.

Without comprehensive metrics, it is challenging to identify and replicate best practices across teams.

Toolchain bloat

A significant discrepancy exists between the number of tools used by developers and the perception of tool usage by executives.

Individual contributors report using between 6 to 14 different tools in their daily workflows, while CxOs believe that only 2 to 5 tools are in use, highlighting a potential misunderstanding of the complexities and demands of modern software development processes.

Extensive use of multiple tools can lead to toolchain bloat, where the abundance of tools complicates rather than simplifies the development process which can result in inefficiencies, as developers spend more time managing and switching between tools rather than focusing on coding and problem-solving.

Toolchain bloat can also introduce integration challenges, where different tools may not work seamlessly together, causing further delays and frustrations.

Desire for toolchain consolidation

The desire for toolchain consolidation is evident among developers, particularly those using AI for development.

A substantial 74% of respondents using AI express a preference for consolidating their toolchains, compared to 57% of non-AI users, suggesting that developers recognize the benefits of a smoother, cohesive set of tools that can improve their productivity and reduce the complexity of their workflows.

Consolidating toolchains can lead to more efficient development processes, better integration of tools, and reduced cognitive load for developers. It can also simplify training and onboarding for new team members, as they need to familiarize themselves with fewer tools.

For organizations, a consolidated toolchain can result in cost savings, easier maintenance, and improved security by reducing the number of potential vulnerabilities.

Key quotes and insights

Ashley Kramer, GitLab’s chief marketing and strategy officer, highlights a notable disconnect between leadership and developers, particularly concerning risk management and training. Disconnects often result in misaligned priorities and strategies, where executives may not fully understand the challenges faced by developers on the ground.

Kramer points out that bureaucratic red tape can significantly hinder the ability to resolve issues quickly, which is particularly problematic in fast-paced development environments where agility and responsiveness are key.

Delays caused by excessive approval processes and rigid protocols can stifle innovation and slow down the development cycle.

Ashley Kramer’s insights

Kramer emphasizes the importance of bridging the gap between organizational leadership and developers. When using technology to simplify processes and foster better communication, organizations can drive innovation more effectively.

Addressing the disconnect requires a concerted effort to understand and address the concerns of developers, making sure they have the necessary resources and support to succeed.

Kramer’s insights suggest that organizations should prioritize the alignment of executive strategies with the practical needs of their development teams. Alignment can lead to more cohesive and productive workflows, ultimately benefiting the organization as a whole.

Key takeaway

Alignment between executive strategies and developer needs is key for fostering a productive and innovative DevSecOps environment. When addressing disparities in perception, tooling, and security practices, organizations can create a more harmonious and effective development process.

To achieve sustainable growth and innovation in DevSecOps, it is key to address the existing disparities in perception, tooling, and security practices. Organizations need to invest in training programs, adopt more accurate productivity metrics, and streamline their toolchains.

In doing so, organizations can improve the efficiency and morale of their development teams, leading to better business outcomes and a stronger competitive edge.

Alexander Procter

August 5, 2024

8 Min