How do the top-performing open source teams manage their dependencies? How do the top-performing companies approach compliance with open source security and legal requirements? Can a team attain class-leading performance in both security and productivity? We summarize the outcome of two years' worth of research conducted for the 2019 and 2020 State of the Software Supply Chain reports. We examined the development history of over 10,000 open source projects and surveyed over 500 enterprise developers to determine the practices that help high performers stand out. A key finding was that a factor we call “Open Source Enlightenment” played an important role in both security outcomes and job satisfaction. And popularity, which is so widely viewed as a signal of quality, was a poor predictor of security in open source libraries. Come hear what factors matter in choosing the right open source dependencies and learn how to orient your development process to get the most out of them. We will dive into the data and guidance that emerged from this analysis and explain the open source practices common to high-performing organizations, which see 26x faster detection and remediation of vulnerabilities and 15x more frequent deployments than low performers, all while reporting class-leading security and quality outcomes.
Dr. Stephen Magill was the CEO and co-founder of MuseDev, and is now VP of Product Innovation at Sonatype. He has spent his career developing tools to help developers identify errors, gauge code quality, and detect security issues.