How Developers Manage Dependencies Matters (Podcast)

What are the most efficient, and exemplary DevOps development practices? Research reveals interesting trends.

This DevSecOp Days podcast episode features Derek Weeks, of Sonatype, and Stephen Magill, of Galois, as they discuss the 2019 State of the Software Supply Chain report. The supply chain report is the result of a recent collaboration with Gene Kim of IT Revolution.

What Was Different This Year?

This is the fifth year of the report. The podcast conversation below explores how the team collected and examined data. It is the largest study so far: 36,000 open source software projects and 12,000 enterprise development teams participated. The research identifies the shared practices of the top 3% of teams.

What Do Developers Say?

A primary consideration was how developers are managing dependencies. What processes or are devs doing? What automation tools are in use? Do developers enjoy this part of their work or do they view dependency management as a painful process?

Weeks says they were surprised to learn that 38% of developers schedule dependency updates as part of their normal routine. 46% say striving to use the latest version of a component. 50% of developers agreed or strongly agreed that there was a process in place at their organization to evaluate and approve open source components. 37% said they use automated tools to track, manage, and ensure compliance.

Does Development Velocity Impact Quality?

Interestingly, the faster the software development pipeline, the more secure the end result. This counterintuitive fact is supported by the report’s data. Staying up-to-date prevents vulnerabilities attached to older components.

Listen to the episode here.