Development Velocity Is a Surprisingly Good Thing, Says Researchers


The fifth annual State of the Software Supply Chain report continues to inspire discussion

Sonatype’s Derek Weeks and Stephen Magill of Galois talk with our own Mark Miller about working with Gene Kim of IT Revolution, and how they produced this year’s research, on an episode of DevSecOpDays.

New this year is the collaborative research partnership. The research covered the largest data set to-date: 36,000 open source projects and 12,000 commercial development teams. The academic rigor and in-depth research produced a detailed examination of open source software globally.

What isn’t new? Derek reminds listeners why the report is a perennial industry leader. It examines the trendlines of open source component use, vulnerabilities, and data breaches, as before. The report also reviews the emerging response to this landscape from public and private entities. 

The Hypothesis 

Stephen explains how the project started with a hypothesis. Could the researchers define excellence and discover the behavioral commonalities that support it? Further, how does excellence impact security? Commit cadence?

The researchers expected that projects with fewer dependencies would be easier to keep up-to-date, and would be more secure as a result. They also thought projects that released more frequently would be more popular. Surprisingly, no correlation was found between the number of dependencies, established maintenance routines, and popularity.

They did observe a trend between the size of a development team and the number of dependencies in the software. Classic chicken-or-egg: did larger projects need more code and therefore more developers, or did the codebase grow when developers brought in their favorite libraries?  

The Results

One takeaway from the report — just one — is the realization that development velocity is an indicator of quality. Faster release schedules are more secure. 

Exemplary teams are a small share of the population. (Read more...)

*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Katie McCaskey. Read the original post at: