This talk will present research quantifying the impact that various software security practices have on security risk outcomes. Comcast has correlated practices like secure coding training, threat modeling, pen testing, SAST/IAST/SCA tool usage, security code review, etc.. with outcome data from 200 different teams in the technologically and process maturity diverse environment inside Comcast.