Companies continue to use vulnerable open source components
Use of known vulnerable open source components has increased by 120 percent over the last year and 62 percent of organizations say they have no meaningful control over OSS components, according to a new study.
Sonatype's fourth annual State of the Software Supply Chain Report shows that open source continues to be a key driver of innovation -- with software developers downloading more than 300 billion open source components in the past 12 months. However, hackers are exploiting this growing trend, and even beginning to inject vulnerabilities directly into open source projects.
Currently over 1.3 million vulnerabilities in OSS components do not have a corresponding CVE advisory in the public NVD database. The report also offers a country-by country analysis, and reveals that 14 percent of downloads by US developers and 12 percent of downloads by UK developers contain a vulnerable component.
"As open source accelerates to its zenith of value, the underlying fundamentals of the ecosystem and the infrastructure supporting it, are increasingly at risk," says Wayne Jackson, CEO of Sonatype. "A series of high profile and devastating cyber attacks last year demonstrated the intent and ability to exploit security vulnerabilities in software supply chains. This year's report proves, however, that secure software development isn’t out of reach. The application economy can grow and prosper in regulated, secure environments, if managed properly."
Among other findings are that more than 15,000 new or updated open source releases are made available to developers every day. The average enterprise downloaded 170,000 Java components in 2017, up 36 percent over the previous year.
The report also reveals that automation plays a critical role in mitigating risk and supporting innovation, with automated software supply chains 2X more efficient and 2X more secure than manual systems.
The full report is available from the Sonatype website.