96 percent of known open source vulnerabilities can be easily avoided
With more open source being consumed than ever before, attacks targeting the software supply chain have increased too, both in frequency and complexity. A new report reveals a 633 percent year on year increase in malicious attacks aimed at open source in public repositories -- this equates to a 742 percent average yearly increase in software supply chain attacks since 2019.
The latest State of the Software Supply Chain Report from Sonatype, released today at the DevOps Enterprise Summit, also finds that 96 percent of open source Java downloads with known-vulnerabilities could have been avoided because a better version was available, but was ignored.
"This astonishing finding highlights how critical it is for engineering teams to continue education on open source risk and embrace intelligent automation to support their efforts. Humans are fallible, and the overwhelming tide of dependency intelligence that developers must interpret in their daily development process is at odds with prioritizing good software quality," says Brian Fox, co-founder and CTO of Sonatype. "The good news is, this year's report also shows 'optimal' dependency management is possible. Further, despite the continued attention on trying to 'fix open source,' the data shows that open source consumers can make changes immediately that will have a profound impact on their ability to remediate and respond to the next event."
The report also shows a gap between perceived security and reality in software development. 68 percent of survey respondents were confident that their applications are not using known vulnerable libraries, but in a random sample of enterprise applications, 68 percent contained known vulnerabilities.
The survey reveals an ongoing bias, with managers reporting higher stages of maturity compared to that is reported by other roles. This is perhaps unsurprising as the average Java application contains 148 dependencies (20 more than last year), and the average Java project updates 10 times a year -- meaning developers are tasked with tracking intelligence on nearly 1,500 dependency changes per year, per application they work on.
"This year's State of the Software Supply Chain report demonstrates how open source and software development is ever-evolving, and the imperative need to evolve with it," Fox adds. "Our research shows that the number of dependencies per open source project is growing, and that these dependencies are a critical driver of risk. Immature organizations expect their developers to stay on top of license compliance concerns, multiple project releases, dependency changes, and open source ecosystem knowledge along with their regular job responsibilities. This is in addition to external pressures like speed. It comes as no surprise that job satisfaction is heavily linked to the software supply chain practices maturity. This sobering reality demonstrates the immediate need for organizations to prioritize software supply management so that they can better deal with security risk, increase developer efficiency, and enable faster innovation."
The full report is available on the Sonatype site.
Image credit: billiondigital/depositphotos.com