Sonatype’s 9th Annual State of the Software Supply Chain Report highlights concerning trends in open source software (OSS) and software supply chain security [3] [4]. This summary will delve into the key findings of the report.
Description
The report reveals that 96% of known-vulnerable open source downloads can be avoided [4], indicating that suboptimal consumption behaviors are the main cause of open source risk [4]. Additionally, there has been a significant increase in cyber risk within open source ecosystems, with twice as many software supply chain attacks in 2023 compared to the previous four years combined [2] [3] [4]. This surge resulted in 245,032 malicious packages being logged. Shockingly, one in eight open source downloads pose known and avoidable risks [2]. However, it is important to note that better versions are often available, making 96% of vulnerabilities avoidable [2] [3]. In total, there were 2.1 billion OSS downloads with known vulnerabilities that could have been avoided [1] [3] [5], consistent with the previous year. The study emphasizes the need to support developers in making better decisions and accessing the right tools to create safer software [4] [5]. It also highlights a disconnect between perceived security and reality in software development [4], with many organizations failing to address open source vulnerabilities urgently [4]. The report further reveals that awareness and mitigation of open source vulnerabilities vary [2] [3], with 39% of organizations discovering vulnerabilities within one to seven days [2]. Constant monitoring of dependencies is crucial, as only 11% of open source projects are actively maintained [2] [3] [4]. Consistently maintained open source projects outperform their counterparts in critical software security best practices [2] [3] [4]. By utilizing better security data and making optimal upgrade decisions [3], teams can save 1.5 months of time per application per year [3]. Lastly, the use of AI/ML components in software development has seen a 135% surge in less than a year [4]. However, developers and organizations face challenges in developing their own AI products [4].
Conclusion
The findings of Sonatype’s report underscore the need for improved practices in open source software consumption and supply chain security. It is crucial to prioritize the support and education of developers to make informed decisions and access the necessary tools for safer software development. Organizations must address open source vulnerabilities with urgency and constantly monitor dependencies. The use of AI/ML components presents both opportunities and challenges, requiring careful consideration and development. By implementing these measures, the software industry can mitigate risks, save time [3] [4], and ensure a more secure future.
References
[1] https://www.infosecurity-magazine.com/news/open-source-supply-chain-attacks-2/
[2] https://portal.sina.com.hk/finance/finance-globenewswire/globenewswire/2023/10/03/554309/sonatypes-9th-annual-state-of-the-software-supply-chain-report-reveals-ways-to-improve-developer-devsecops-efficiency/
[3] https://www.globenewswire.com/news-release/2023/10/03/2753750/0/en/Sonatype-s-9th-Annual-State-of-the-Software-Supply-Chain-Report-Reveals-Ways-to-Improve-Developer-DevSecOps-Efficiency.html
[4] https://www.investorsobserver.com/news/qm-pr/4667647864697933
[5] https://betanews.com/2023/10/03/one-in-eight-open-source-downloads-have-known-and-avoidable-risks/
