High performing developers release more often
The highest performing developers put out releases 15 times more often and are 26 times times faster to detect and fix open source vulnerabilities than their low performing counterparts, according to a new study.
The report from Sonatype is based on analysis of over 1.5 trillion open source download requests, 24,000 open source projects, and 5,600 enterprise development teams.
Carried out in conjunction with Gene Kim from IT Revolution and Dr Stephen Magill, CEO at MuseDev the research examines how high performing teams successfully demonstrate superior risk management outcomes while maintaining high levels of productivity.
It identifies four types of development team, High Performance Teams, Security First Teams, Productivity First Teams and Low Performer Teams. Compared to Low Performers, High Performers need 5.7x less time for developers to be productive when switching teams and it’s 1.5x more likely their employees will recommend the organization as a great place to work.
While Security First teams have good risk management their productivity is lower. Compared to these, High Performers are 59 percent more likely to be using software composition analysis tools, 28 percent more likely to enforce governance policies in Continuous Integration and 56 percent more likely to have centrally-managed CI infrastructure.
"Many have argued that effective risk management practices are always at the expense of developer productivity, but this year's report provides strong evidence to the contrary. Faster innovation and better risk management are not mutually exclusive," says Wayne Jackson, CEO of Sonatype. "High Performance engineering teams are accelerating velocity while simultaneously reducing security risks. Adding to these successful business outcomes, developers in High Performance teams demonstrate higher levels of job satisfaction."
The study also reveals some software security trends, these include a 430 percent increase in next generation software supply chain attacks over the past year, and 373,000 average downloads of open source components per company, of which 8.3 percent are known vulnerable.
You can get the full report from the Sonatype site.