Sonatype released its
9th Annual State of the Software Supply Chain Report.
This year's report highlights alarming open source software (OSS) and
software supply chain security trends, while also looking at how arming
developers with better, more consistent development tools and best
practices can save them and their organizations a significant amount of
time and money. Noteworthy findings in the report include:
- 2023 saw twice as many software supply chain attacks as 2019-2022 combined: Sonatype logged 245,032 malicious packages in 2023. One in eight open source downloads today pose known and avoidable risks.
- Nearly all (96%) vulnerabilities are still avoidable: 2.1
billion OSS downloads with known vulnerabilities in 2023 could have
been avoided because a better, fixed version was available - the exact
same percentage as in 2022. For every suboptimal component upgrade made,
there are typically 10 superior versions available.
- Only 11% of open source projects are ‘actively maintained': Sonatype
analyzed 1,176,407 open source projects across four major ecosystems
and saw an 18% decline in ‘actively maintained' open source projects.
The finding demonstrates the importance of constant vigilance from
consumers in tracking the health of dependencies over time. The report
once again highlights suboptimal open source consumption habits as the
root cause of open source risk, contrary to public discourse often
linking security risk with open source maintainers. In fact, the report
demonstrates that maintainers, on average, promptly address and resolve
issues.
"A lot of maintainers are very diligent -
Big Tech companies go out of their way to hire talented people to
maintain libraries they rely on," says Brian Fox, CTO at Sonatype. "Our
industry needs to direct its efforts towards the right place. The fact
that there's been a fix for almost all downloads of components with a
known vulnerability tells us an immediate focus should be supporting
developers on becoming better decision-makers, and giving them access to
the right tools. The goal is to help developers be more intentional
about downloading open source software from projects with the most
maintainers and the healthiest ecosystem of contributors. This will not
only create safer software, but also recoup nearly two weeks of wasted
developer time each year."
Amidst rising software supply chain attacks,
there's also a continued disconnect between perceived security and
reality in software development:
- Organizations think they have their software supply chains under control:
67% of respondents feel confident that their applications do not rely
on known vulnerable libraries. Yet, nearly 10% of respondents reported
their organizations had security breaches due to open source
vulnerabilities in the last 12 months.
- Awareness and mitigation of open source vulnerabilities lacks urgency in many organizations:
The report found that 39% of organizations discover vulnerabilities
within one to seven days; 29% take over a week to become aware and 28%
discover within one day; When it comes to mitigation, 36.2% of
respondents require over a week to mitigate vulnerabilities.
Developers play a pivotal role in driving
progress, innovation, and excellence. Findings this year further
highlight the direct relationship between developer productivity and
access to superior tools and high-quality open source components. While
investigating solutions for reducing security risks and time wasting,
Sonatype discovered that:
- Open source
projects that are consistently maintained outperformed their
counterparts on critical software security best practices. Compared to less-maintained libraries, consistently maintained projects tend to score:
- 5.9x higher on SAST
- 5.4x higher on Signed Releases
- 5.1x higher on Dependency Update Tools
- 3.6x higher on Code Review
- 3.8x higher on Branch Protection
- Optimal dependency management saves time, money, and decreases security risk:
When teams use better security data that reduce false positive findings
by 25%, in combination with making optimal upgrade decisions, each team
saves a total 1.5 months of time, per application, per year. This
equates to a 2X boost in time saved over just making optimal upgrades.
"Impactful change necessitates clear
direction," adds Fox. "For both better and worse, today's software
organizations face an overwhelming amount of options for addressing
these issues - from a multitude of frameworks to weekly governmental
guidance, and more. All that choice is ripe to create paralysis, making
it hard to get started."
Among
the spike in software supply chain vulnerabilities, there are signs of
developers taking measures to improve efficiencies and security posture.
The report shows the use of AI/ML components in software development
surging by 135% in less than a year, largely owing to the massive
efficiencies the technology affords software developers, in addition to
how quickly AI/ML components can be integrated into software development
workflows. That said, developers and organizations face significant
challenges in developing their own AI products.
"While
AI/ML technology has become more accessible than ever, there are still
significant implementation challenges. Developers and data scientists
have to choose from hundreds of thousands of options for models and
libraries," says Stephen Magill, Vice President of Innovation at
Sonatype. "Choosing open source solutions comes with all of the
familiar requirements around managing open source security risk.
Choosing proprietary solutions can come with high costs. And in both
cases, licensing of both the models and the model outputs can be very
uncertain."
To read the full report, visit sonatype.com/state-of-the-software-supply-chain.