Sonatype’s 2018 State of the Software Supply Chain Report Reveals Use of Vulnerable Open Source Increased 120%, Despite Equifax Breach

Sonatype’s 2018 State of the Software Supply Chain Report


New data shows managed software supply chains are 2X more efficient and 2X more secure

FULTON, MD – September 25, 2018 – Sonatype today released its fourth annual State of the Software Supply Chain Report which found that software developers downloaded more than 300 billion open source components in the past 12 months, and that 1 in 8 of those components contained known security vulnerabilities.

The comprehensive benchmark report incorporates a combination of public and proprietary data to examine patterns and practices underpinning open source software development and modern software supply chains. Key findings in this year’s report include:

Managed software supply chains are 2X more efficient and 2X more secure
Automated OSS security practices reduce the presence of vulnerabilities by 50%
DevOps teams are 90% more likely to comply with open source governance when security policies are automated
The window to respond to vulnerabilities is shrinking rapidly
Over the past decade, the meantime to exploit security vulnerabilities in the wild has compressed 400%, going from an average of 45 days to just 3
Hackers are beginning to assault software supply chains
Over the last 18 months, a series of no less than 11 events triangulate a serious escalation of attacks on software supply chains
These assaults, which include hackers injecting vulnerabilities directly into open source releases, represent a new front in the battle to secure software applications
Industry lacks meaningful open source controls
1.3 million vulnerabilities in OSS components do not have a corresponding CVE advisory in the public NVD database
62% of organizations admitted to not having meaningful controls over what OSS components are used in their applications
Governments are stepping in, as enterprises struggle to self-regulate
19 different governmental organizations around the world have called for improved OSS security and governance
Supply, and demand for, open source shows no sign of slowing down
More than 15,000 new or updated open source releases are made available to developers every day
The average enterprise downloaded 170,000 Java components in 2017, up 36% year over year
Supporting Quotes:

Wayne Jackson, CEO, Sonatype

“As open source accelerates to its zenith of value, the underlying fundamentals of the ecosystem and the infrastructure supporting it, are increasingly at risk. A series of high profile and devastating cyber attacks last year demonstrated the intent and ability to exploit security vulnerabilities in software supply chains. This year’s report proves, however, that secure software development isn’t out of reach. The application economy can grow and prosper in regulated, secure environments, if managed properly.”

Gene Kim, Researcher and co-author of “The Phoenix Project,” “The DevOps Handbook,” and “Accelerate”

“We live in an age where the majority of the software we deliver is not written by us — instead, we rely on a huge and sprawling software supply chain of open source components. As valuable as open source software has become, there is a significant and hidden economic cost of using these software dependencies. One of the most telling indicators is that some of the highest-profile security breaches in the last year were due to not using the most current component versions, which enabled software vulnerabilities to be exploited to devastating effect. This report shows how critical the open source component ecosystem is to all of us, and the wide variance in practice in both the producers and consumers of open source software.”

Kevin E. Greene, Principal Software Assurance Engineer, The MITRE Corporation

“We are seeing more breaches in open source software because of the gravitational force that pulls features, complexity, and technical debt towards a software system over time, which make it very difficult to patch in a timely fashion Unfortunately, that hasn’t changed the consumption rate of open source software by developers. This is consistent with what I believe is a growing concern…that developers may have surrendered to the idea that all software is vulnerable and have known vulnerabilities. We must give developers better supply chain options where quality and security are intrinsically designed-in.”

DJ Schleen, Security Architect and DevSecOps Idealist, Fortune 50 Insurance Corporation

«Only a decade ago, you’d look under the hood of the software your business buys and see a black box. Today we have the opportunity to open the hood to see the engine and all of its parts. Consumers and high performing DevOps organizations alike should not accept the risks of having known vulnerable open source components in their products. While new regulations begin to address the problem, this is one that good corporate citizens should have taken care of themselves.”

Hasan Yasar, Technical Manager and Adjunct Faculty Member, Carnegie Mellon University

«In 476 B.C. Master Sun (The Art of War, Sunzi Sun Tzu) said “know yourself, know your enemy and you shall win a hundred battles without loss.” The same is true when it comes to software development in 2018. If we know what we have in our code – including OSS – (ourselves) and know where vulnerabilities are (our enemy), then we can create secure software. As the use case for OSS only gets stronger, this year’s State of the Software Supply Chain Report once again shows that OSS vulnerabilities are growing exponentially. We can not simply ignore the problem anymore, we must know the enemy in order to defeat it.”

Scott Crawford, Research Director – Information Security, 451 Research

“As with any technology, open source software (OSS) components deliver many unique advantages. They also come with their own set of risks: licensing issues and exposure to known security vulnerabilities are two of the best known. Before an organization can assess these exposures, an accurate and up-to-date inventory of OSS components is required. This year’s State of the Software Supply Chain report shows that too many organizations are still failing at this most basic line of cyber hygiene. In fact, more that 62% admitted to not having meaningful controls over what OSS components are used in their applications.”

About the State of the Software Supply Chain Report

The 2018 State of the Software Supply Chain Report blends a broad set of public and proprietary data with expert research and analysis. This year’s report highlights new methods cybercriminals are employing to infiltrate software supply chains, offers expanded analysis across languages and ecosystems, and more deeply explores how government regulations are likely to impact the future of software development.

Additional Resources

Read the 2018 State of the Software Supply Chain report
Read our blog
Create a software Bill of Materials for free
Learn more about Sonatype software supply chain automation solutions
About Sonatype

Leave a comment



logoSC

SIGUENOS

Twitter

Youtube

CONTACTO

Seguridad IT y Contravigilancia