Open source supply chain automation vendor Sonatype released its State of the Software Supply Chain Report this week. Sonatype assembled a significant amount of data on the use of open source software in development environments from 3,000 organizations across 25,000 applications.
Some things uncovered in the report were reaffirming, others were concerning. Sonatype measured organizations using an astounding 229,000 components annually. That’s a lot of components to manage, to be sure. But it also introduces a lot of potential risk. And, with that in mind, Sonatype found that:
6.8% of application components contained at least one known security vulnerability. That’s 16,000 components in each organization looked at -- a lot of increased attack surface.
Key findings from the report include:
- The number of open source component download requests rose 82 percent to 31 billion in 2015 from 17 billion in 2014.
- 10,000 new component versions are introduced daily across development ecosystems.
- Component sourcing practices are inefficient and software vulnerabilities are pervasive
- Enterprises download more than 229,000 components annually but, on average only 5,000 component downloads are unique.
- Open source components vary widely in terms of quality and 6.1 percent of downloads (1 in 16 components) include a known security defect.
- Organizations struggle with vulnerable parts
- Data from 25,000 applications demonstrates that 6.8 percent of components in use had at least one known security defect, revealing that downloads of poor quality components are making their way into production.
- Parts age and grow stale quickly. Older components (age 3+ years) used in applications are disproportionately less healthy and are three times more likely to contain vulnerabilities.
- Industry is taking action
- Top performing enterprises, federal regulators and industry associations have embraced the principles of software supply chain automation to improve the safety, quality and security of software.
In an interview, Bruce Mayhew, Director of Research and Development at Sonatype, said he found many things in the report surprising. “One of the first ones that surprised me was the staggering growth and consumption of open source software and how prevalent open source components are in modern-day applications,” he said. “Another thing that surprised me was the lack of visibility and control that security, legal, and architecture teams have over their consumption of open source components. I think the last thing that surprised me were that some of the public open source repositories are mutable in that they allow changing of the bits for a specifically versioned and published component, or that they allow the removal of published artifacts. Those were the three big surprises for me.”
Mayhew also stressed the importance of open source software security. “Open source components are everywhere, across all languages. Ecosystems that house open source components sometimes have very little control over the software within their own repositories. If you were building a swing-set for your kids, would you want the generic bolts from the Dollar Store or would you want a higher grade bolt from the hardware store.”
“It's hard to say which one's better without knowing some basic quality facts like sheer strength, or will they rust apart after two years? This is the type of information that we all need about our software components and today people just don't have it,” Mayhew continued. “I think people have to come to grips that open source is good for software development. It helps us be more innovative in what we build because we don't have to reinvent the wheel with every single application that we build. As our applications become more complex and our choices become vast, we need to get in front of helping developers and enterprises make better decisions on the risk of what is being used.”
The report is worth a read for anyone concerned with software security. Sonatype says they studied the patterns and practices exhibited by high-performance organizations and documented how they use software “supply chain automation” to manage the flow and variety of open source components, and how they reduce risk doing so. Verticals looked at include banking, insurance, defense, energy, technology and government.