DevOps practices help improve the quality of open source components


The use of open source components can help speed up the software development process, but it comes with a risk if poor quality code leads to vulnerable applications being released.

The latest State of the Software Supply Chain Report from DevOps tools specialist Sonatype reveals that organizations which actively manage the quality of open source components flowing into production applications realize a 28 percent improvement in developer productivity, a 30 percent reduction in overall development costs, and a 48 percent increase in application quality.

"Companies are no longer building software applications from scratch, they are manufacturing them as fast as they can using an infinite supply of open source component parts," says Wayne Jackson, CEO of Sonatype. "However, many still rely on manual and time consuming governance and security practices instead of embracing DevOps-native automation. Our research continues to show that development teams managing trusted software supply chains are dramatically improving quality and productivity."

Among the report's other findings is that year-on-year downloads of Java components have grown 68 percent (52 billion in 2016), JavaScript downloads grew 262 percent (59 billion in 2016), and demand for Docker components is expected to grow 100 percent (12 billion downloads). Faced with a near infinite supply of open source components, high-functioning DevOps organizations are turning to machine automation to govern the quality of open source components flowing through their software supply chains.

It also reveals that open source component suppliers are slow to fix vulnerabilities. Only 15.8 percent of OSS projects actively fix vulnerabilities, and even then the mean time to remediation is 233 days. This puts the onus on DevOps organizations to actively govern which OSS projects they work with, and which components they ultimately use.

On a positive note, in 2016, the percentage of Java components downloaded from the Central Repository that contained known security vulnerabilities fell to 5.5 percent, down from 6.1 percent the year before. Although this still isn't ideal it is evidence that hygiene is beginning to improve with ratios declining slightly in each of the last three years. The regulatory landscape is helping too, with government agencies and industry bodies releasing new guidelines to improve the quality, safety, and security of software supply chains.

You can find out more in the full report which is available to download from the Sonatype website.

Photo Credit: anathomy/Shutterstock

Comments are closed.

© 1998-2024 BetaNews, Inc. All Rights Reserved. Privacy Policy - Cookie Policy.