In 2009, we were awakened to Allspaw and Hammond’s “10 deploys a day”. In 2010, Jez Humble and Dave Farley advised us to “build quality in”. But in 2019, breaches hit 24% of software development teams. Are we staking our future on a pace we haven’t yet learned to secure?
In a year long collaboration between Gene Kim and Dr. Stephen Magill, we objectively examined and empirically documented software release patterns and cybersecurity hygiene practices across 36,000 commercial development teams and open source projects. Our research uncovered different software development and cybersecurity hygiene behaviors that we categorized as Exemplars, Laggards, Features First, and Cautious.
In this session, I will reveal the insights we uncovered. Attendees will learn which techniques, team structures and release patterns exemplary development teams have been championed at large enterprises like ABN AMRO, Walmart, and SEGA, as well as within open source project teams from the likes of Elasticsearch, Mulesoft, and SonarSource. I’ll also share observations of exemplary DevSecOps practices that deliver 50% more commits, release new code 2.4X faster, and remediate security vulnerabilities 2.9X faster.
Boost PC performance: How more available memory can improve productivity
Exemplars, Laggards, and The Cautious: a data-driven look at high-velocity software development practices
1. Derek E. Weeks
VP and DevOps Advocate, Sonatype
Co-founder, All Day DevOps
@weekstweets
Exemplars, Laggards, and Hoarders
A Data-Driven Look at Open Source Software Supply Chains
2. …once it ceases to
sacrifice quality for speed
C R E D I T : N E I L B E Y E R S D O R F
12. Two Different Worlds
Enterprise Open Source
Multiple deploys per day Versioned releases
Consistent development team Fluid group of developers
Predictable, well-resourced Variable resource availability
@weekstweets
13. With Similar Metrics
Enterprise Open Source
Deployment Frequency Release Frequency
Organizational Performance Popularity
Mean Time to Restore Time to Remediate Vulnerabilities
@weekstweets
14. With Similar Metrics
Enterprise Open Source
Deployment Frequency Release Frequency
Organizational Performance Popularity
Mean Time to Restore Time to Remediate Vulnerabilities
@weekstweets
16. Attributes Measure
Popularity Avg. daily Central Repository downloads
Size of Team Avg. unique monthly contributors
Development Speed Avg. commits per month
Release Speed Avg. period between releases
Presence of CI Presence of popular cloud CI systems
Foundation Support Associated with an open source foundation
Security More complicated
Update Speed More complicated
@weekstweets
19. Projects that release frequently:
are 5x more popular.
attract 79% more developers.
have 12% greater foundation support rates.
@weekstweets
20. With Similar Metrics
Enterprise Open Source
Deployment Frequency Release Frequency
Organizational Performance Popularity
Mean Time to Restore Time to Remediate Vulnerabilities
@weekstweets
36. Hypothesis 3
Projects with fewer dependencies will stay more up to date.
(REJECTED)
Components with more dependencies actually have better MTTU.
@weekstweets
37. More dependencies
correlate with larger
development teams.
@weekstweets
Larger development
teams have 50% faster
MTTU and release 2.6x
more frequently.
38. More dependencies
correlate with larger
development teams.
@weekstweets
Larger development
teams have 50% faster
MTTU and release 2.6x
more frequently.
41. @weekstweets
Hypothesis 4
More popular projects will be better about staying up to date.
(REJECTED)
There are plenty of popular components with poor MTTU.
Popularity does not correlate with MTTU.
42. 5 Behavioral Clusters for OSS “Suppliers”
@weekstweets
Small Exemplar
(606)
Large Exemplar
(595)
Laggards
(521)
Features First
(280)
Cautious
(429)
Small development
teams (1.6 devs),
exemplary MTTU.
Large development teams (8.9
devs), exemplary MTTU, very
likely to be foundation
supported,
11x more popular.
Poor MTTU, high stale
dependency count, more
likely to be commercially
supported.
Frequent releases, but
poor TTU.
Still reasonably
popular.
Good TTU,
but seldom
completely up
to date.
Rest of the population: 8,142
45. We schedule updating
dependencies as part of our
daily work
We strive to use the
latest version (or latest-
N) of all our dependencies
We use some process to
add a new dependency
(e.g., evaluate, approve,
standardize, etc.)
We have a process to
proactively remove
problematic or unused
dependencies
We have automated tools
to track, manage, and/or
ensure policy compliance of
our dependencies
46%
YES
50%
YES
30%
YES
37%
YES
Enterprise Developers Manage Dependencies
@weekstweets
n = 658
38%
YES
46. When you climb the mountain every day, it’s easier.
@weekstweets