Recently, Sonatype released the latest "Report on the State of the Software Supply Chain in 2021". The report data shows that open source supply, demand, and security vulnerabilities all show "explosive" growth. Among them, open source supply has increased by 20%, open source demand has increased by 73%, and open source attacks have also skyrocketed by 650%. At the same time, open source security and dependency management occupy the dominant position of the "2021 software supply chain".
In this report, through the migration of 100,000 production applications and 4 million components carried out by developers, as well as related to the ecosystems of Java (Maven Central), JavaScript (npmjs), Python (PyPI) and .Net (nuget) Supply, demand, and security trends have been studied, and some highlights have been drawn as follows.
Open source supply, demand, and security vulnerabilities all show "explosive" growth
According to the Sonatype report, data on open source supply, open source demand, and open source security vulnerabilities have all shown "explosive" growth in the past year. The details are as follows:
(1) The open source supply has increased by 20%. In the past year, the four major open source ecosystems have released 6,302,733 new versions of components/packages, launched 723,570 new projects, and 27 million developers worldwide have participated. So far, the total number of components/packages in the four major open source ecosystems has reached 37,451,682.
(2) The demand for open source has increased by 73%. In 2021, developers from all over the world will download more than 2.2 trillion open source software packages from the four major ecosystems, a significant increase from the previous year.
(3) With the increase in open source downloads, open source attacks have also increased by 650%. In 2021, the world witnessed an exponential increase in software supply chain attacks aimed at exploiting weaknesses in the upstream open source ecosystem.
(4) Production applications use only 6% of available open source projects. Although there are a large number of open source projects available, the current utilization rate is only concentrated on a few popular projects.
(5) Popular open source projects are more vulnerable to attacks. Data shows that currently 29% of popular project versions contain at least one known security vulnerability; conversely, only 6.5% of non-popular project versions do. This data shows that security researchers (blackhat and whitehat) are more focused on projects with higher usage rates.
The density of open source vulnerabilities is distributed by ecosystem
The research released by Sonatype shows that although developers’ demand for open source continues to grow exponentially, the total amount of open source in actual use is still very small.
Among the currently popular projects, the number of vulnerabilities contained in projects far exceeds the normal percentage. Sonatype pointed out that the above facts clarify the important responsibilities and opportunities for project leaders at this stage-embracing intelligent automation, which allows them to achieve standardization on the basis of the best open source vendors, while helping developers to maintain third-party Updates to the library and the best version.
Open source projects with fast update iterations and low popularity are safer
Sonatype report data shows that compared to some other projects, open source projects with a faster MTTU are less likely to be found to be vulnerable by 1.8 times, so such projects will be safer.
In addition, the popularity of the project is not a good predictor of the safety of the project. Generally speaking, more popular open source projects are 2.8 times more likely to contain vulnerabilities than ordinary projects.
Dependency management practices between development teams are quite different
Data shows that in the open source software supply chain, software developers make sub-optimal choices 69% of the time when updating third-party dependencies. Generally speaking, newer versions of the project will be better, but not all of them are the best.
Since the commercial engineering team only manages 25% of the components used, this makes most of their open source dependencies obsolete and vulnerable to greater security risks.
The Sonatype report points out that automation can help the developer team save $192,000 per year. A medium-sized company with 20 application development teams, equipped with an intelligent automation system, will help the company save 160 development days each year.
Software Supply Chain Management Practice: Perception and Reality
The Sonatype study also showed that the development team lacks structured guidance and often makes sub-optimal decisions in software supply chain management.
In general, people believe that they are doing a good job of repairing defective parts and that they understand the risks. But in fact, there is a disconnect between subjective survey feedback and objective data.
Regarding the current problems in the software supply chain field, Sonatype said in a comment that current companies such as Apple, Goldman Sachs, and Amazon, and recent companies such as Zoom, Peloton and Wayfair, have mastered three key competitive advantages. :
(1) Know how to use open source and third-party innovation on a large scale
(2) Integrate security and risk control into multiple stages of the software supply chain
(3) Publish higher-quality code faster than competitors
In the past year, fundamental changes have taken place in the way people live and work, as well as the way business entities and digital supply chains operate. Today, when digital innovation is driving economic development, if corporate developers want to avoid cyber attacks that use software supply chains, or want to bring some innovations to software supply chain management, this Sonatype report may bring some Inspired.
The full version of the Sonatype report:
https://www.sonatype.com/resources/state-of-the-software-supply-chain-2021
Reference link:
https://blog.sonatype.com/2021-state-of-the-software-supply-chain
java
python
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用。你还可以使用@来通知其他用户。