Good news, bad news in new open source software report
It is possible to manage your open source software supply chain to reduce the risk of vulnerabilities and breaches. The problem is, not everyone is following this advice, according to the 2019 State of the Software Supply Chain Report, which was released yesterday by DevOps automation firm Sonatype.
While there has been a 71% increase in confirmed or suspected open source-related breaches since 2014, and 25% of organisations reported a confirmed or suspected open source-related breach in the past year, the news on the open source security front is not all bad.
This is the fifth annual report on global open source software development and is based on what is arguably one of the largest data sources ever tapped for this kind of research: 36 000 open source project teams, 3.7 million open source component releases, 12 000 commercial engineering teams and two surveys with a combined participation of 6 200 development professionals.
However, popularity does not infer less vulnerability. The percentage of vulnerable Java components downloaded has increased substantially over the past four years, from 6.1% in 2015 to 12.1% in 2018. This dropped slightly to 10.3% in the current survey.
The rise in overall open source-related breaches should be seen against the background of the massive growth in the use of open source components. According to the research, there has been 75% growth in the supply of open source component releases over the past two years, and 148-billlion download requests from the Central Repository alone in the past 12 months – a year-on-year increase of 68%.
In addition, the research indicated a 55% reduction in the use of vulnerable open source components – but largely within managed software supply chains.
The report highlighted the benefits of the managed approach and best practices adopted by what it terms `exemplary’ open source software projects and commercial application development teams.
According to Wayne Jackson, CEO of Sonatype, the tried and tested advice to organisations was to rely on the fewest open source component suppliers with the best track records in order to develop the highest quality and lowest risk software.
“For organisations that tame their software supply chains through better supplier choices, component selection and use of automation, the rewards revealed in this year’s report are impressive. Use of known vulnerable component releases was reduced by 55%,” he said.
For organisations that tame their software supply chains through better supplier choices, component selection and use of automation, the rewards revealed in this year’s report are impressive.
However, it appears that some open source component users are oblivious to all advice and warnings. A shocking finding in the report was that despite the publicity and warnings relating to Apache Struts, which was responsible for the infamous breach at Equifax in 2017, these warnings have been widely ignored. Sonatype’s analysis of Struts downloads from the Central Repository revealed that the volume of monthly vulnerable downloads continued to rise; just one year after the breach, Struts downloads increased 11% to 2.1 million, and it has not slowed since.