DevOps practices help improve the quality of open source components
The use of open source components can help speed up the software development process, but it comes with a risk if poor quality code leads to vulnerable applications being released.
The latest State of the Software Supply Chain Report from DevOps tools specialist Sonatype reveals that organizations which actively manage the quality of open source components flowing into production applications realize a 28 percent improvement in developer productivity, a 30 percent reduction in overall development costs, and a 48 percent increase in application quality.
"Companies are no longer building software applications from scratch, they are manufacturing them as fast as they can using an infinite supply of open source component parts," says Wayne Jackson, CEO of Sonatype. "However, many still rely on manual and time consuming governance and security practices instead of embracing DevOps-native automation. Our research continues to show that development teams managing trusted software supply chains are dramatically improving quality and productivity."
It also reveals that open source component suppliers are slow to fix vulnerabilities. Only 15.8 percent of OSS projects actively fix vulnerabilities, and even then the mean time to remediation is 233 days. This puts the onus on DevOps organizations to actively govern which OSS projects they work with, and which components they ultimately use.
On a positive note, in 2016, the percentage of Java components downloaded from the Central Repository that contained known security vulnerabilities fell to 5.5 percent, down from 6.1 percent the year before. Although this still isn't ideal it is evidence that hygiene is beginning to improve with ratios declining slightly in each of the last three years. The regulatory landscape is helping too, with government agencies and industry bodies releasing new guidelines to improve the quality, safety, and security of software supply chains.
You can find out more in the full report which is available to download from the Sonatype website.