In 2009, we were awakened to Allspaw and Hammond’s “10 deploys a day”. In 2010, Jez Humble and Dave Farley advised us to “build quality in”.  But in 2019, breaches hit 24% of software development teams.  Are we staking our future on a pace we haven’t yet learned to secure?

In a year long collaboration with Gene Kim and Dr. Stephen Magill, we objectively examined and empirically documented software release patterns and cybersecurity hygiene practices across 48,000 commercial development teams and open source projects.  Our research uncovered different software development and cybersecurity hygiene behaviors that we categorized as Exemplars, Laggards, Features First, and Cautious.

In this session, I will reveal the insights we uncovered. Attendees will learn which techniques, team structures and release patterns exemplary development teams have been championed at large enterprises like ABN AMRO, Walmart, and SEGA, as well as within open source project teams from the likes of Elasticsearch, Mulesoft, and SonarSource.  I’ll also share observations of exemplary DevSecOps practices that deliver 50% more commits, release new code 2.4X faster, and remediate security vulnerabilities 2.9X faster.