industry news
Subscribe Now

Open Source Continues to Fuel Digital Transformation, Sonatype’s 2021 Software Supply Chain Report Reveals Important Trends

Developer Demand for Open Source Increased 73% Year over Year; 29% of Popular Project Releases Are Vulnerable, Highlighting the Critical Need for Automated Dependency Management
FULTON, Md., Sept. 15, 2021 (GLOBE NEWSWIRE) — Sonatype, the leader in developer-friendly tools for software supply chain automation and security, today released its seventh annual State of the Software Supply Chain Report that reveals continued strong growth in open source supply and demand dynamics.  Further, with regard to open source security risks, the report found a 650% year over year increase in supply chain attacks aimed at upstream public repositories, and a fascinating dichotomy pertaining to the level of known vulnerabilities present in popular and non-popular project versions. This year’s research also presents innovative empirical metrics that can be used to identify exemplary projects, and data-driven guidance to help software engineering teams optimize decisions on when, and when not to, update to new versions of open source libraries.  Finally, based on survey responses collected from 702 software engineering professionals, the research observes a fundamental disconnect between people’s subjective beliefs about software chain management practices, and objective results as measured across 100,000 applications.

Sonatype’s 2021 State of the Software Supply Chain Report blends a broad set of public and proprietary data to uncover important trends in modern software development.  This year’s report analyzed operational supply, demand and security trends associated with the Java (Maven Central), JavaScript (npmjs), Python (PyPI), and .Net (nuget) ecosystems.  Furthermore, researchers studied software engineering practices gleaned from 100,000 production applications and 4,000,000 component migrations made by developers over the past 12 months.  Key findings include:

Open source supply, demand, and security dynamics:

  • Supply increased 20%. The top four open source ecosystems now contain a combined 37,451,682 different versions of components.
  • Demand increased 73%. In 2021 developers around the world will download more than 2.2 trillion open source packages from the top four ecosystems.
  • Attacks increased 650%. In 2021 the world witnessed an exponential increase in software supply chain attacks aimed at exploiting weaknesses in upstream open source ecosystems.
  • Production apps utilize only 6% of available projects. Despite a huge available supply of open source projects, utilization is concentrated in a surprisingly small number of popular projects.
  • Popular projects are more vulnerable.  29% of popular project versions contain at least one known security vulnerability. Conversely, only 6.5% of non-popular project versions do so, suggesting that security researchers (blackhat and whitehat) are focused on the most utilized projects.

Empirical metrics to identify the best open source projects:

  • Projects with a faster mean time to update (MTTU) are more secure. They were found to be 1.8 times less likely to have vulnerabilities.
  • Popularity is not a good predictor of security. Popular open source projects were 2.8 times more likely to contain vulnerabilities.

Dependency management practices vary widely among development teams:

  • Software developers make suboptimal choices 69% of the time when updating third-party dependencies. Newer versions of projects are generally better, but not always best.
  • Commercial engineering teams only manage 25% of components they use, leaving the majority of their open source dependencies stale and susceptible to increased security risks.
  • Automation could save organizations $192,000 a year. Equipped with intelligent automation, a medium sized enterprise with 20 application development teams would save a total of 160 developer days a year.

Software Supply Chain Management Practices:  Perception vs. Reality 

  • There is a disconnect between subjective survey feedback and objective data.  People believe they are doing a good job remediating defective components and indicate that they understand where risk resides. Objectively, research shows development teams lack structured guidance and frequently make suboptimal decisions with respect to software supply chain management.

“This year’s State of the Software Supply Chain report demonstrates, yet again, how open source is both critical fuel for digital innovation and a ripe target for software supply chain attacks,” said Matt Howard, EVP of Sonatype. “While developer demand for open source continues to grow exponentially, our research shows for the first time just how little of the overall supply is actually being utilized.  Further, we now know that popular projects contain disproportionately more vulnerabilities. This stark reality highlights both a critical responsibility, and opportunity, for engineering leaders to embrace intelligent automation so they  can standardize on the best open source suppliers and simultaneously help developers keep third-party libraries fresh and up to date with optimal versions.”

About Sonatype

Sonatype is the leader in developer-friendly, full-spectrum software supply chain automation providing organizations total control of their cloud-native development lifecycles, including third-party open source code, first-party source code, infrastructure as code, and containerized code. The company supports 70% of the Fortune 100 and its commercial and open source tools are trusted by 15 million developers around the world. With a vision to transform the way the world innovates, Sonatype helps organizations of all sizes build higher quality software that’s more aligned with business needs, more maintainable and more secure.

Sonatype has been recognized by Fast Company as one of the Best Workplaces for Innovators in the world, two years in a row and has been named to the Deloitte Technology Fast 500 and Inc.

Leave a Reply

featured blogs
Oct 26, 2021
We unpack the demanding PPA requirements for edge AI SoCs, as chip designers turn their attention to edge AI applications such as embedded vision systems. The post Smarter Ways to Meet Your PPA Targets for Edge AI Processors appeared first on From Silicon To Software....
Oct 26, 2021
Component placement is one of the most critical aspects of PCB designing. As the number of components and layers increases, the complexities of placing components increase manifold. Allegro® PCB... [[ Click on the title to access the full blog on the Cadence Community s...
Oct 20, 2021
I've seen a lot of things in my time, but I don't think I was ready to see a robot that can walk, fly, ride a skateboard, and balance on a slackline....
Oct 4, 2021
The latest version of Intel® Quartus® Prime software version 21.3 has been released. It introduces many new intuitive features and improvements that make it easier to design with Intel® FPGAs, including the new Intel® Agilex'„¢ FPGAs. These new features and improvements...

featured video

What are V³Link SerDes?

Sponsored by Texas Instruments

V³Link ICs are ultra-low latency SerDes that aggregate video, clock, control and GPIO data into a single-wire bidirectional bridge between industry-standard interfaces. Vision-based designs can use V³Link devices to achieve higher resolution, extend cable reach up to 15 meters and reduce system size, weight and power. Learn about the basics of V³Link technology and explore typical applications for V³Link in this training video.

Click here for more information

featured paper

3 ways to speed cycle time when designing with brushless-DC motors

Sponsored by Texas Instruments

Designing systems with BLDC motors can be challenging, because it usually requires complex hardware and optimized software designs to deliver reliable real-time control. This article discusses three methods for simplifying the process.

Click to read more

featured chalk talk

Hot-Swap and Power Protection -- Mouser Electronics and Analog Devices

Sponsored by Mouser Electronics and Maxim Integrated (now part of Analog Devices)

When it comes to our always-on, critical systems we need to carefully consider power protection and maintainability. In this episode of Chalk Talk, Amelia Dalton and Dwight Larson investigate the issues that surround hot-plugging into an energized power supply, the best solutions to consider, what the different hot-swap circuit topologies look like for a variety of applications and why the MAX15090B/C with its innovative current foldback startup may be the best solution for your next design.

Click here for more information about Maxim Integrated MAX15090B/MAX15090C Hot Swap ICs