Open source is fueling digital transformation
Developer demand for open source increased 73 percent over the last year and in 2021 developers around the world will download more than 2.2 trillion open source packages from the top four ecosystems.
The latest Software Supply Chain Report from Sonatype shows a 20 percent increase in supply too, with the top four open source ecosystems now containing a combined 37,451,682 different versions of components.
Despite this huge choice though production apps are found to utilize only six percent of available projects.
However, this comes at the cost of a 650 percent increase in software supply chain attacks aimed at exploiting weaknesses in upstream open source ecosystems. The report finds that 29 percent of popular project versions contain at least one known security vulnerability. Conversely, only 6.5 percent of non-popular project versions do so, suggesting that security researchers -- both good and bad -- are focused on the most utilized projects.
"This year's State of the Software Supply Chain report demonstrates, yet again, how open source is both critical fuel for digital innovation and a ripe target for software supply chain attacks," says Matt Howard, EVP of Sonatype. "While developer demand for open source continues to grow exponentially, our research shows for the first time just how little of the overall supply is actually being utilized. Further, we now know that popular projects contain disproportionately more vulnerabilities. This stark reality highlights both a critical responsibility, and opportunity, for engineering leaders to embrace intelligent automation so they can standardize on the best open source suppliers and simultaneously help developers keep third-party libraries fresh and up to date with optimal versions."
Among other findings, commercial engineering teams only manage 25 percent of the components they use, leaving the majority of their open source dependencies stale and thus susceptible to increased security risks.
The findings also show that equipped with intelligent automation, a medium sized enterprise with 20 application development teams would save a total of 160 developer days a year, amounting to $192,000 a year.
The full report is available on the Sonatype site.