For enterprise security professionals alarmed about the rising number of supply chain attacks, a report released this week by Google Cloud's DORA (devops reseach and assessment) program has good news: Devsecops best practices are becoming more and more common.The recent prevalence of supply chain attacks\u2014most notably the SolarWinds attack, which affected numerous large companies in 2021\u2014has brought the topic into\u00a0 prominence. The report, though, found that many supply chain security practices recommended by the major frameworks are already in place among software developers, based on an ongoing \u201csnowball\u201d survey of 33,000 such developers over the past eight years.There are two major frameworks for addressing software supply chain development issues, which are those that stem from the complex nature of modern software development\u2014many projects include open source components, licensed libraries, and contributions from numerous developers and various third parties.Two major security frameworks aim at supply chain attacksOne major security framework is Supply-chain Levels for Software Artifacts, a Google-backed standard, and the other is the NIST\u2019s Secure Software Development Framework. Both enumerate a number of best practices for software development, including two-person review of software changes, protected source code platforms, and dependency tracking.\u201cThe interesting thing is that a lot of these practices, according to the survey, are actually relatively established,\u201d said John Speed Meyers, a security data scientist at supply-chain security firm Chainguard and one of the report's contributing writers. \u201cA lot of the practices in there, 50% of the respondents said that they were established.\u201dThe most common of those practices, according to Google user experience researcher Todd Kulesza\u2014another author of the report\u2014is CI\/CD (continuous integration\/continuous development), which is a method of rapidly delivering applications and updates by leveraging automation at different stages of development.\u201cIt\u2019s one of the key enablers for supply chain security,\u201d he said. \u00a0\u201cIt\u2019s a backstop \u2013 [developers] know that the same vulnerability scanners, et centera, are all going to be run against all their code.\u201dMoreover, the report found that a healthier culture in software development teams was a predictor of fewer security incidents and better software delivery. Higher-trust cultures\u2014where developers felt comfortable reporting problems and confident that their reports would bring action\u2014were much more likely to produce more secure software and retain good developers.\u201cSometimes, cultural arguments can feel really fluffy,\u201d said Speed Meyers. \u201cWhat is nice about some of these \u2026 culture ideas is that they actually lead to concrete standards and practices.\u201dKulesza echoed that emphasis on high-trust, collaborative culture in software working groups, which the report refers to as \u201cgenerative\u201d culture, as opposed to rules-based \u201cbureaucratic\u201d or power-focused cultures. He said that practices like after-action reports for development incidents and preset standards for work led to better outcomes across the board.\u201cOne way to think about this is that if there is a security vulnerability that an engineer realizes has made it into production, you don\u2019t want to be in an organization where that engineer worries about bringing that problem to light,\u201d he said.