Open source supply chain automation vendor Sonatype released its State of the Software Supply Chain Report this week. Sonatype assembled a significant amount of data on the use of open source software in development environments from 3,000 organizations across 25,000 applications.
Some things uncovered in the report were reaffirming, others were concerning. Sonatype measured organizations using an astounding 229,000 components annually. That’s a lot of components to manage, to be sure. But it also introduces a lot of potential risk. And, with that in mind, Sonatype found that:
6.8% of application components contained at least one known security vulnerability. That’s 16,000 components in each organization looked at -- a lot of increased attack surface.
Key findings from the report include:
In an interview, Bruce Mayhew, Director of Research and Development at Sonatype, said he found many things in the report surprising. “One of the first ones that surprised me was the staggering growth and consumption of open source software and how prevalent open source components are in modern-day applications,” he said. “Another thing that surprised me was the lack of visibility and control that security, legal, and architecture teams have over their consumption of open source components. I think the last thing that surprised me were that some of the public open source repositories are mutable in that they allow changing of the bits for a specifically versioned and published component, or that they allow the removal of published artifacts. Those were the three big surprises for me.”
Mayhew also stressed the importance of open source software security. “Open source components are everywhere, across all languages. Ecosystems that house open source components sometimes have very little control over the software within their own repositories. If you were building a swing-set for your kids, would you want the generic bolts from the Dollar Store or would you want a higher grade bolt from the hardware store.”
“It's hard to say which one's better without knowing some basic quality facts like sheer strength, or will they rust apart after two years? This is the type of information that we all need about our software components and today people just don't have it,” Mayhew continued. “I think people have to come to grips that open source is good for software development. It helps us be more innovative in what we build because we don't have to reinvent the wheel with every single application that we build. As our applications become more complex and our choices become vast, we need to get in front of helping developers and enterprises make better decisions on the risk of what is being used.”
The report is worth a read for anyone concerned with software security. Sonatype says they studied the patterns and practices exhibited by high-performance organizations and documented how they use software “supply chain automation” to manage the flow and variety of open source components, and how they reduce risk doing so. Verticals looked at include banking, insurance, defense, energy, technology and government.
George V. Hulme is an internationally recognized information security and business technology writer. For more than 20 years Hulme has written about business, technology, and IT security topics. From March 2000 through March 2005, as senior editor at InformationWeek magazine, he covered the IT security and homeland security beats. His work has appeared in CSOOnline, ComputerWorld, Network Computing, Government Computer News, Network World, San Francisco Examiner, TechWeb, VARBusiness, and dozens of other technology publications.View all posts
Don’t miss out on exclusive content and exciting announcements!