A report from Sonatype has revealed a 73 percent surge in the demand for open-source despite a year of high profile vulnerabilities.
The growing use of open-source to keep up with the pace of modern development makes it a prime target for cybercriminals. We’ve seen this multiple times in practice over the past year with devastating attacks like that on SolarWinds even making national headlines for its widespread implications.
In fact, Sonatype’s report highlights a 650 percent year-on-year increase in supply chain attacks aimed at upstream public repositories.
“This year’s State of the Software Supply Chain report demonstrates, yet again, how open source is both critical fuel for digital innovation and a ripe target for software supply chain attacks,” said Matt Howard, EVP of Sonatype.
The leading four open-source ecosystems now feature a combined 37,451,682 different versions of components. The aforementioned 73 percent surge in demand means that, in 2021, developers are expected to download more than 2.2 trillion open source packages from the top four ecosystems.
“While developer demand for open source continues to grow exponentially, our research shows for the first time just how little of the overall supply is actually being utilised,” added Howard. “Further, we now know that popular projects contain disproportionately more vulnerabilities.
“This stark reality highlights both a critical responsibility and opportunity for engineering leaders to embrace intelligent automation so they can standardise on the best open-source suppliers and simultaneously help developers keep third-party libraries fresh and up to date with optimal versions.”
It’s well-known that PC users suffer from more hacks than their Mac counterparts. However, it’s not necessarily that PCs are less secure but their popularity makes them a more valuable target.
The most popular open-source projects are also the most vulnerable. Sonatype notes how 29 percent of popular projects suffer from at least one known security vulnerability compared to 6.5 percent of unpopular projects.
Developers that want to reduce their risks should look at the mean time to update (MTTU) of a project. The projects with a faster MTTU were found to be 1.8x less likely to have vulnerabilities.
However, the report makes clear that developers make “suboptimal” choices 69 percent of the time when updating third-party dependencies. Newer versions of projects are generally better but it must be considered that it’s not always the case.
You can find a full copy of Sonatype’s 2021 State of the Software Supply Chain report here.
Want to learn about DevOps from leaders in the space? Check out the DevOps-as-a-Service Summit on 1 February 2022, where attendees will learn about the benefits of building collaboration and partnerships in delivery.