More code deploys means fewer security headaches

Contrary to what you might think, updating code a lot can cut security issues in half -- and improve software quality

Organizations with high rates of code deployments spend half as much time fixing security issues as organizations without such frequent code updates, according to a newly released study.

In its latest annual state-of-the-developer report, Devops software provider Puppet found that by better integrating security objectives into daily work, teams in "high-performing organizations" build more secure systems. The report, which surveyed 4,600 technical professionals worldwide, defines high IT performers as offering on-demand, multiple code deploys per day, with lead times for changes of less than one hour. Puppet has been publishing its annual report for five years.

"We found that the high performers spend 50 percent less time [remedying] security issues." said Alanna Brown, a senior product marketing manager for Puppet. "This doesn't just represent wasted time, it also shows that low performers are much more susceptible to security issues."

Security is often seen as the "final frontier" for devops, and Brown noted that "now, we have proof that security can be successfully integrated into a devops environment. But if it's not done well, it can be costly to the health of the business.

Also in this year's report, Puppet found a widening performance between high performers and low performers -- those who deploy code at rates of between once per month to once every six months. "In the last year, the high performers have seriously improved their throughput, going from 200 deploys a year to 1,460 deploys a year," Brown said. "On the other hand, the low performers are stuck in the mud and haven't had much change in their throughput for the past three years."

Deploying more frequently gives high performers a "huge edge," she said. "They're able to experiment more often and deliver value to customers faster, creating a virtuous circle of learning and improvement."

The 2016 report also took a stab at measuring the quality of software, using unplanned work and rework as a proxy for quality because they're primarily caused by defects. Puppet found that high-performing organizations spend 22 percent less time on unplanned work and rework, and as a result, they're able to spend 29 percent more time on new, value-adding work.  

Puppet further noted that high performers have more employee loyalty. Employees in high-performing organizations were
 2.2 times more likely to recommend their organization to a friend as a "great" place to work, the report said. These employees also 1.8 times more likely to recommend their team to a friend as a great working environment. 

The report also advocates an experimental approach to product development, with the development cycle starting long before coding. "Your product team's ability to decompose products and features into small batches, provide visibility into the flow of work from idea to production, and gather customer feedback to iterate and improve will predict both IT performance and deployment pain," Puppet said.

Join the CSO newsletter!

Error: Please check your email address.

More about

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Paul Krill

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts