Updating code can mean fewer security headaches

Contrary to what you might think, updating code a lot can cut security issues in half -- and improve software quality

More code deploys means fewer security headaches

Organizations with high rates of code deployments spend half as much time fixing security issues as organizations without such frequent code updates, according to a newly released study.

In its latest annual state-of-the-developer report, Devops software provider Puppet found that by better integrating security objectives into daily work, teams in "high-performing organizations" build more secure systems. The report, which surveyed 4,600 technical professionals worldwide, defines high IT performers as offering on-demand, multiple code deploys per day, with lead times for changes of less than one hour. Puppet has been publishing its annual report for five years.

"We found that the high performers spend 50 percent less time [remedying] security issues." said Alanna Brown, a senior product marketing manager for Puppet. "This doesn't just represent wasted time, it also shows that low performers are much more susceptible to security issues."

Security is often seen as the "final frontier" for devops, and Brown noted that "now, we have proof that security can be successfully integrated into a devops environment. But if it's not done well, it can be costly to the health of the business.

Also in this year's report, Puppet found a widening performance between high performers and low performers -- those who deploy code at rates of between once per month to once every six months. "In the last year, the high performers have seriously improved their throughput, going from 200 deploys a year to 1,460 deploys a year," Brown said. "On the other hand, the low performers are stuck in the mud and haven't had much change in their throughput for the past three years."

Deploying more frequently gives high performers a "huge edge," she said. "They're able to experiment more often and deliver value to customers faster, creating a virtuous circle of learning and improvement."

The 2016 report also took a stab at measuring the quality of software, using unplanned work and rework as a proxy for quality because they're primarily caused by defects. Puppet found that high-performing organizations spend 22 percent less time on unplanned work and rework, and as a result, they're able to spend 29 percent more time on new, value-adding work.  

Puppet further noted that high performers have more employee loyalty. Employees in high-performing organizations were
 2.2 times more likely to recommend their organization to a friend as a "great" place to work, the report said. These employees also 1.8 times more likely to recommend their team to a friend as a great working environment. 

The report also advocates an experimental approach to product development, with the development cycle starting long before coding. "Your product team's ability to decompose products and features into small batches, provide visibility into the flow of work from idea to production, and gather customer feedback to iterate and improve will predict both IT performance and deployment pain," Puppet said.

This story, "Updating code can mean fewer security headaches" was originally published by InfoWorld.

Copyright © 2016 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)