In recent years, we at Sonatype have dedicated an extensive amount of time to studying enterprise development teams, open source projects, and how everything in the OSS ecosystem works together. In fact, in a two-year-long study with Gene Kim and Stephen Magill we examined software release patterns and cybersecurity hygiene practices across 30,000 different projects and teams.
Through this, we've found three truths for software engineering teams and the 20 million software developers that work for them:
These truths can sometimes feel at odds with each other. Developers do not "own" the security of their own products. Instead, they are subject to security oversight and are relegated to using reactive tools that tell them about vulnerabilities and code issues after development. While the majority of developers have become more aware of security, it's difficult to implement appropriate measures when current tools to manage open source dependencies are often built with security in mind more than development.
I believe we're in the middle of an inflection point. The role of the software developer is changing again. Whether they're ready or not, developers now need to take responsibility for security and code quality, as the definition of dependency management evolves. With developers now needing to manage all of these elements simultaneously, their roles have become increasingly complex. It is therefore critical that they can have tools to automate key processes, helping to boost productivity, while simultaneously improving software security and quality.
This is why I'm proud to introduce Sonatype's newest enhancements for Sonatype Lifecycle: the Advanced Development Pack.
High-performing teams need solutions that make their development practices better. 67% of developers are regularly impacted when dependency upgrades break the functionality of their application, requiring them to spend time on rework. Tools that integrate dependency management into existing DevOps pipelines and go beyond just vulnerability identification and warnings are what developers require.
Organizations who invest in securing the best parts, from the fewest and best suppliers, and keeping those components updated, are widening the gap against their competitors. The best-performing organizations are applying automation to help them manage their open-source component choices and updates. For instance, we know that top-performing projects release 1.5 times more frequently than others and manage 2.9 times fewer dependencies. We also know that open source projects that update dependencies more frequently, typically maintain more secure code.
We wanted to put the control back in the development teams' hands. We wanted to help them engage in proactive dependency management practices without losing the momentum of agile development. The Advanced Development Pack does all of this.
It's ultimately about making developer's lives easier in everything they do, so they can focus on what they love - innovating at lightning speed. Developers don't want to be bogged down by never-ending security tickets. They want a no-fuss way of choosing the best components based on project quality and ease-of-upgrade. Knowing what components to avoid from the start of a project either because it doesn't fit policy, or is associated with abnormal committer behavior, saves developers an incredible amount of time. And, developers want to be able to fix issues as fast and as seamlessly as they can. With the Pack, we're providing them all of this. They'll be able to better understand:
More specifically, it removes the guesswork, and tells developers exactly which dependencies provide the least costly upgrade path in terms of effort. Specific capabilities include:
I've said this before, but it remains even more true today: New versions of components are released at an overwhelming pace, approximately 20,000 per day, making it impossible for most teams to manually manage dependencies. The Advanced Development Pack will automate this otherwise painful process and help developers update to the best and newest versions of component releases.
You can learn more about the Advanced Development Pack.