Report: 96% of vulnerable open source downloads are preventable

Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and gain efficiencies by improving and scaling citizen developers. look now.

As the industry’s reliance on open source software has grown, the number of known software supply chain attacks has increased, with a 742% increase in the past three years, according to the eighth annual report on the state of Sonatype’s software supply chain. 1.2 billion vulnerable dependencies are downloaded each month, according to the report. Of these, 96% had a non-vulnerable option. Consumer behavior, not open source maintainers, is often cited in public discussions as the cause.

One of the reasons for this trend is the increase and evolution of software supply chain attacks. The report reveals a 633% year-over-year increase in malicious attacks targeting open source in public repositories – and a 742% average annual increase in software supply chain attacks since 2019.

Image source: Sonatype.

While cybercriminals are nothing new, the frequency, severity, and sophistication of these malicious attacks are becoming a major issue plaguing developers and organizations around the world. Developers are urged to maintain a working knowledge of software quality, multiple open source ecosystems, fluctuating regulations, and nearly 1,500 dependency changes per year, per application, all in the face of ever-changing attacks.

So what can be done? Minimizing dependencies and keeping update times short are key factors in reducing the risk of transitive vulnerabilities, the most common source of security risk.


Smart Security Summit

Learn about the critical role of AI and ML in cybersecurity and industry-specific case studies on December 8. Sign up for your free pass today.

Register now

However, reducing vulnerabilities is not limited to project security: it also affects job satisfaction. In a survey of engineering professionals, people from organizations with higher levels of software supply chain maturity were 2.7 times more likely to strongly agree with the statement “I am satisfied with my work”.

Interestingly, there is a clear disconnect between the security measures in place and what IT people think has passed. Sixty-eight percent of respondents were confident that their applications did not use vulnerable libraries. However, in a random scan of enterprise applications, 68% had known vulnerabilities in their open source software components.

IT managers were 2.4 times more likely than respondents working in information security to strongly agree with “We approach resolving security issues as a regular part of development “.

To innovate faster and grow at scale, organizations need to make it as easy as possible for developers to build secure and maintainable software, which includes providing them with smarter tools that provide more visibility into their systems and automate their process.

Sonatype’s eighth annual State of the Software Supply Chain report combines a wide range of public and proprietary data and analysis, including 131 billion Maven Central downloads, survey results from 662 software engineering and evaluation of 85,000 enterprise applications.

Read the full Sonatype report.

VentureBeat’s mission is to be a digital public square for technical decision makers to learn about transformative enterprise technology and conduct transactions. Discover our Briefings.

Leave a Reply

Your email address will not be published. Required fields are marked *