The fifth annual State of the Software Supply Chain report continues to inspire discussion.
Sonatype’s Derek Weeks and Stephen Magill of Galois talk with our own Mark Miller about working with Gene Kim of IT Revolution, and how they produced this year’s research, on an episode of DevSecOpDays.
New this year is the collaborative research partnership. The research covered the largest data set to-date: 36,000 open source projects and 12,000 commercial development teams. The academic rigor and in-depth research produced a detailed examination of open source software globally.
What isn’t new? Derek reminds listeners why the report is a perennial industry leader. It examines the trendlines of open source component use, vulnerabilities, and data breaches, as before. The report also reviews the emerging response to this landscape from public and private entities.
The Hypothesis
Stephen explains how the project started with a hypothesis. Could the researchers define excellence and discover the behavioral commonalities that support it? Further, how does excellence impact security? Commit cadence?
The researchers expected that projects with fewer dependencies would be easier to keep up-to-date, and would be more secure as a result. They also thought projects that released more frequently would be more popular. Surprisingly, no correlation was found between the number of dependencies, established maintenance routines, and popularity.
They did observe a trend between the size of a development team and the number of dependencies in the software. Classic chicken-or-egg: did larger projects need more code and therefore more developers, or did the codebase grow when developers brought in their favorite libraries?
The Results
One takeaway from the report -- just one -- is the realization that development velocity is an indicator of quality. Faster release schedules are more secure.
Exemplary teams are a small share of the population. One trait they share is a DevOps culture that supports rapid development and deployment. Organizations with high frequency release schedules have a stronger MTTU (mean time to update) response. Remediation, when necessary, is faster, more effective, and more impactful.
Another trait these teams share is quick security updates and component releases. 38% of people on these teams said they schedule dependency updates as part of their normal routine. 46% say they strive to use the latest version of a component.
You can listen to the full podcast episode below. Listen to the end. Stephen surmises what next year’s State of the Software Supply Chain report might examine - and why it might even be better than this year's.
