Vulnerable software components widely used by enterprises
The average UK enterprise has downloaded over 21,000 software components with a known vulnerability in the past year alone, according to new data from Sonatype the DevSecOps automation specialist.
Sonatype's fifth annual State of the Software Supply Chain Report has studied over 12,000 enterprise development companies globally and shows that of the average 248,000 open source components downloaded by British business in 2018, 8.8 percent have a known security flaw.
Of these vulnerabilities, 30 percent -- some 6300 -- are deemed to be critical, posing a serious risk to the security of software. Adversaries are increasingly targeting open source components too with a 71 percent increase in open source related breaches over the past five years and 24 percent of organizations confirming or suspecting an OSS related breach.
There is some good news though with the report identifying breakthrough coding practices which are proven to significantly mitigate threats. The findings also reveal a slight decrease in vulnerable downloads from one in eight in 2017 to one in 10 last year, as businesses improve software supply chain management. The report also discovered that developers using the most current versions of open source component dependencies will dramatically reduce their cybersecurity risk.
"We have long advised business that they should rely on the fewest open source components suppliers with the best track records in order to develop the highest quality and lowest risk software,'' says Wayne Jackson, CEO of Sonatype. "For organizations who tame their software supply chains through better supplier choices, component selection, and use of automation, the rewards revealed in this year’s report are impressive. Use of known vulnerable component releases were reduced by 55 percent."
You can find out more about the report on the Sonatype blog.