Study shows high performance engineering teams release 15x more often and remediate open source vulnerabilities 26x faster
Fulton, Md. - August 12, 2020 -- Sonatype, the company that scales DevOps through open source governance and software supply chain automation, today released its sixth annual State of the Software Supply Chain Report.
For the second year in a row, Sonatype partnered with researchers Gene Kim from IT Revolution and Dr. Stephen Magill, CEO at MuseDev to examine how high performing teams successfully demonstrate superior risk management outcomes while maintaining high levels of productivity.
The report analyzes over 1.5 trillion open source download requests, 24,000 open source projects, and 5,600 enterprise development teams. Furthermore, in-depth survey research across a wide variety of organizations identified four types of software engineering teams with markedly different levels of performance as it relates to software supply management practices and open source governance.
When compared to their Low Performer peers, High Performers demonstrated:
When compared to Security First teams, High Performers were:
“Many have argued that effective risk management practices are always at the expense of developer productivity, but this year’s report provides strong evidence to the contrary. Faster innovation and better risk management are not mutually exclusive,” said Wayne Jackson, CEO of Sonatype. “High Performance engineering teams are accelerating velocity while simultaneously reducing security risks. Adding to these successful business outcomes, developers in High Performance teams demonstrate higher levels of job satisfaction.”
The report also evaluated 24,000 open source projects to determine practices of the top-performing suppliers feeding components into software supply chains. Researchers found exemplary OSS projects demonstrated:
“We found that high performers are able to simultaneously achieve security and productivity objectives,” said Gene Kim, DevOps researcher and author of the WSJ bestselling book, The Unicorn Project. “It’s fantastic to gain a better understanding of the principles and practices of how this is achieved, as well as their measurable outcomes.”
“It was really exciting to find so much evidence that this much-discussed tradeoff between security and productivity is really a false dichotomy. With the right culture, workflow, and tools development teams can achieve great security and compliance outcomes together with class-leading productivity,” said Dr. Stephen Magill, Principal Scientist at Galois & CEO of MuseDev.
The study also reveals new milestones in open source software development, adversarial activity, and government influence, including:
About the State of the Software Supply Chain Report
The 2020 State of the Software Supply Chain Report blends a broad set of public and proprietary data with expert research and analysis to identify exemplary software development practices. Now in its sixth year, it is the longest-running research on open source software development and application security practices of its kind.
Additional Resources
About Sonatype
Sonatype is the leader in software supply chain automation technology with more than 350 employees, over 1,000 enterprise customers, and is trusted by more than 10 million software developers. Sonatype’s Nexus platform enables DevOps teams and developers to automatically integrate security at every stage of the modern development pipeline by combining in-depth component intelligence with real-time remediation guidance. For more information, please visit Sonatype.com, or connect with us on Facebook, X, or LinkedIn.
Media Contact
In the US: Mission North for Sonatype
In the UK: Babel PR for Sonatype
sonatype@babelpr.com