Exemplars, Laggards, and The Cautious: a data-driven look at high-velocity software development practices

In 2009, we were awakened to Allspaw and Hammond’s “10 deploys a day”. In 2010, Jez Humble and Dave Farley advised us to “build quality in”. But in 2019, breaches hit 24% of software development teams. Are we staking our future on a pace we haven’t yet learned to secure?

In a year long collaboration between Gene Kim and Dr. Stephen Magill, we objectively examined and empirically documented software release patterns and cybersecurity hygiene practices across 36,000 commercial development teams and open source projects. Our research uncovered different software development and cybersecurity hygiene behaviors that we categorized as Exemplars, Laggards, Features First, and Cautious.

In this session, I will reveal the insights we uncovered. Attendees will learn which techniques, team structures and release patterns exemplary development teams have been championed at large enterprises like ABN AMRO, Walmart, and SEGA, as well as within open source project teams from the likes of Elasticsearch, Mulesoft, and SonarSource. I’ll also share observations of exemplary DevSecOps practices that deliver 50% more commits, release new code 2.4X faster, and remediate security vulnerabilities 2.9X faster.



Derek E. Weeks

Derek E. Weeks, Vice President at Sonatype, is the world’s foremost researcher on the topic of DevSecOps and securing software supply chains. For the past five years, he has championed the ...