Good news, bad news in new open source software report

Marilyn Villiers Marilyn Villiers
July 16, 2019 Big Data, Cloud & DevOps
It is possible to manage your open source software supply chain to reduce the risk of vulnerabilities and breaches. The problem is, not everyone is following this advice, according to the 2019 State of the Software Supply Chain Report, which was released yesterday by DevOps automation firm Sonatype.

While there has been a 71% increase in confirmed or suspected open source-related breaches since 2014, and 25% of organisations reported a confirmed or suspected open source-related breach in the past year, the news on the open source security front is not all bad.

This is the fifth annual report on global open source software development and is based on what is arguably one of the largest data sources ever tapped for this kind of research: 36 000 open source project teams, 3.7 million open source component releases, 12 000 commercial engineering teams and two surveys with a combined participation of 6 200 development professionals.

OSS component growth from 2017 †2019 (Source: Sonatype’s 2019 State of the Software Supply Chain report)

OSS component growth from 2017 – 2019 (Source: Sonatype’s 2019 State of the Software Supply Chain report)

The report clearly shows that the popularity of open source continues to rise exponentially. Demand for JavaScript, for example, is huge. In 2018, the average weekly npm package downloads rose from approximately 3.5 billion to 10 billion – an increase of 185%.

However, popularity does not infer less vulnerability. The percentage of vulnerable Java components downloaded has increased substantially over the past four years, from 6.1% in 2015 to 12.1% in 2018. This dropped slightly to 10.3% in the current survey.

The rise in overall open source-related breaches should be seen against the background of the massive growth in the use of open source components. According to the research, there has been 75% growth in the supply of open source component releases over the past two years, and 148-billlion download requests from the Central Repository alone in the past 12 months – a year-on-year increase of 68%.

In addition, the research indicated a 55% reduction in the use of vulnerable open source components – but largely within managed software supply chains.

The report highlighted the benefits of the managed approach and best practices adopted by what it terms `exemplary’ open source software projects and commercial application development teams.

According to Wayne Jackson, CEO of Sonatype, the tried and tested advice to organisations was to rely on the fewest open source component suppliers with the best track records in order to develop the highest quality and lowest risk software.

“For organisations that tame their software supply chains through better supplier choices, component selection and use of automation, the rewards revealed in this year’s report are impressive. Use of known vulnerable component releases was reduced by 55%,” he said.

For organisations that tame their software supply chains through better supplier choices, component selection and use of automation, the rewards revealed in this year’s report are impressive.

However, it appears that some open source component users are oblivious to all advice and warnings. A shocking finding in the report was that despite the publicity and warnings relating to Apache Struts, which was responsible for the infamous breach at Equifax in 2017, these warnings have been widely ignored. Sonatype’s analysis of Struts downloads from the Central Repository revealed that the volume of monthly vulnerable downloads continued to rise; just one year after the breach, Struts downloads increased 11% to 2.1 million, and it has not slowed since.

  • Experfy Insights

    Top articles, research, podcasts, webinars and more delivered to you monthly.

  • Marilyn Villiers

    Tags
    Big Data & Technology
    © 2021, Experfy Inc. All rights reserved.
    Leave a Comment
    Next Post
    TECHNOLOGY: Blockchain will raise standards and improve security

    TECHNOLOGY: Blockchain will raise standards and improve security

    Leave a Reply Cancel reply

    Your email address will not be published. Required fields are marked *

    More in Big Data, Cloud & DevOps
    Big Data, Cloud & DevOps
    Cognitive Load Of Being On Call: 6 Tips To Address It

    If you’ve ever been on call, you’ve probably experienced the pain of being woken up at 4 a.m., unactionable alerts, alerts going to the wrong team, and other unfortunate events. But, there’s an aspect of being on call that is less talked about, but even more ubiquitous – the cognitive load. “Cognitive load” has perhaps

    5 MINUTES READ Continue Reading »
    Big Data, Cloud & DevOps
    How To Refine 360 Customer View With Next Generation Data Matching

    Knowing your customer in the digital age Want to know more about your customers? About their demographics, personal choices, and preferable buying journey? Who do you think is the best source for such insights? You’re right. The customer. But, in a fast-paced world, it is almost impossible to extract all relevant information about a customer

    4 MINUTES READ Continue Reading »
    Big Data, Cloud & DevOps
    3 Ways Businesses Can Use Cloud Computing To The Fullest

    Cloud computing is the anytime, anywhere delivery of IT services like compute, storage, networking, and application software over the internet to end-users. The underlying physical resources, as well as processes, are masked to the end-user, who accesses only the files and apps they want. Companies (usually) pay for only the cloud computing services they use,

    7 MINUTES READ Continue Reading »

    About Us

    Incubated in Harvard Innovation Lab, Experfy specializes in pipelining and deploying the world's best AI and engineering talent at breakneck speed, with exceptional focus on quality and compliance. Enterprises and governments also leverage our award-winning SaaS platform to build their own customized future of work solutions such as talent clouds.

    Join Us At

    Contact Us

    1700 West Park Drive, Suite 190
    Westborough, MA 01581

    Email: support@experfy.com

    Toll Free: (844) EXPERFY or
    (844) 397-3739

    © 2025, Experfy Inc. All rights reserved.