Securing and delivering high-quality code with innersource metrics
With innersource, it’s important to measure both the amount of innersource activity and the quality of the code being created. Here’s how.
Innersource creates high quality user experiences and productive developers
The open source software community has organically developed techniques that ensure the code all of us rely on is high quality, reusable, and secure even though it is worked on by people all across the world.
When an organization, such as a company or an agency, employs similar methods within their engineering department it is known as innersource. Common innersource techniques include creating software templates and reusable components through collaboration across different development teams. These templates are then used across all the projects and services within a company to provide a consistent user experience and increase developer productivity by up to 87%.
As you develop an innersource practice within your organization it is important to measure both the amount of innersource activity and the quality of the code that is being created. Below we will focus on how to ensure the code you are using across your products and services is high quality and secure.
Secure your most used code
With the help of the GitHub Professional Services Team, a major government agency created a portal their developers could use to discover existing reusable software based on an open source SAP project. Once developers were able to easily discover relevant repositories they quickly began incorporating them into all of their current work. This meant that any problems in the original repositories would affect many different products and services, so ensuring that the original code was bug- and vulnerability-free had an outsized effect on the overall quality of the code base.
As secure code was the agency’s top priority, we built metrics into the discovery portal to provide visibility into the security status of their most innersourced repositories. These metrics are automatically updated daily, and allow the agency to prioritize their security efforts by keeping the most used repositories secure.
These metrics, along with the insights gathered from enabling GitHub Advanced Security secret scanning and code scanning on all 400+ of their innersource repositories, drove a 50% reduction in vulnerabilities. This means all the products and services dependent on these innersource repositories are more secure.
How to collect and secure your innersource
The government agency was able to develop, secure, and share reusable code internally to significantly accelerate and secure software development. Here are four simple steps your organization can take to accelerate development through innersource adoption:
- Identifying reusable software across the teams in your enterprise.
- Collecting and making those repositories discoverable.
- Tracking metrics related to the security and quality of these critical repositories.
- Taking targeted actions to improve those metrics and celebrate the results!
Learn more about how organizations are accelerating development and creating top company cultures.
If you need support or further guidance, let us know at https://services.github.com/#contact. We’d be happy to use our experience to help accelerate and secure your software development!
Tags:
Written by
Related posts
GitHub Actions, Arm64, and the future of automotive software development
Learn how GitHub’s Enterprise Cloud, GitHub Actions, and Arm’s latest Automotive Enhanced processors, work together to usher in a new era of efficient, scalable, and flexible automotive software creation.
The architecture of SAST tools: An explainer for developers
More developers will have to fix security issues in the age of shifting left. Here, we break down how SAST tools can help them find and address vulnerabilities.
Frenemies to friends: Developers and security tools
When socializing a new security tool, it IS possible to build a bottom-up security culture where engineering has a seat at the table. Let’s explore some effective strategies witnessed by the GitHub technical sales team to make this shift successful.