The Truth About Your Software Supply Chain
Open source components help developers innovate faster, but they sometimes come at a high price.
July 1, 2019
![](https://eu-images.contentstack.com/v3/assets/blt6d90778a997de1cd/blt18813e05eef9bffd/64f0d55f1f28922b16e312aa/1.jpg?width=700&auto=webp&quality=80&disable=upscale)
Developers in enterprise environments — and at commercial software companies, for that matter — have learned that to deliver features swiftly, it's much more expedient not to reinvent the wheel with certain chunks of code. And so they increasingly build their software by mixing and matching open source software components within their code base to minimize their development time to coding the components that truly add value and differentiation to their applications.
This reliance on open source components greatly speeds up innovation but often comes at a high price: Many of these components available for download contain dangerous vulnerabilities. Some companies are better than others in establishing policies about how and when developers can use them, as well as at actively managing the components to track for flaws. The latest research shows that those that do it well can minimize the risks introduced by these components into their software while maximizing the gains.
"For organizations who tame their software supply chains through better supplier choices, component selection, and use of automation, the rewards are impressive," says Wayne Jackson, CEO of Sonatype, which last week released its "2019 State of the Software Supply Chain Report." This study, along with two others released in the past two months, paint a good picture of open source component risks and how organizations are mitigating them.
The latest studies put to rest that today's software world is split cleanly between open source software and everything else. The truth is that almost all modern software today comprises at least some open source components.
According to the "2019 Open Source Security and Risk Analysis (OSSRA)" report, released earlier this spring by Synopsys, 99% of applications with at least 1,000 files contain at least some open source components. Meantime, an analysis of 500 modern applications in the Sonatype study shows, on average, that 85% of their code is comprised of open source components.
The previous chart shows that Java projects lead the pack in overall volume and growth of available components. Not only are there more Java components available for download, but there is also greater use of those components out in the real world. The aggregate number of download requests for Java component releases grew 68% in 2018, to 146 billion. Sonatype calculates that this equates to 12,166 requests per person if you estimate there being about 12 million Java developers around the world.
The Sonatype study reports a 71% increase in confirmed or suspected open source-related breaches since 2014. The good news is the number of open source breaches seems to have peaked in 2018, with a slight dip occurring over the past year. Nevertheless, one in four organizations surveyed by Sonatype say they've experienced an incident within the past 12 months.
These breaches reflect how attackers have recognized what low-hanging fruit open source components offer them in terms of attack surface. According to the OSSRA report, the percentage of open source codebases containing at least one vulnerability stands at 60%. That's a big improvement compared with 78% from a year prior, but it still represents a significant ratio.
Drilling down into the numbers by severity of flaws, 40% of those open source code bases contain high-risk vulnerabilities, the OSSRA report states.
In practice, the vulnerable components actually used by organizations is much lower than the 40% cited in the OSSRA report, but the defect rate is still significant. Sonatype's analysis shows that approximately 8.8% of component downloads at enterprise organizations contain known security vulnerabilities. Among the most popular Java components, that rate is 10.3%. Troublingly, though, among those vulnerabilities that do get downloaded, 67% are at 7.0 or above on the 10-point Common Vulnerability Scoring System (CVSS) scale.
With so many open source components available out there with known vulnerabilities, it's incumbent on organizations to build checks for those flaws into the process of sourcing their software components. Unfortunately, another study out by WhiteSource earlier this month shows only half of North American firms and 42% of European firms do those checks before choosing open source components. Additionally, very few organizations have mechanisms in place to keep tab on components already in place for new vulnerabilities as they arise, with just one in three organizations employing tools that can automatically detect these flaws in existing applications.
Sonatype's study shows that development teams that actively manage their software supply chains, regularly update their open source dependencies, and employ automation of open source policies are statistically proven to lower their open source defect rates. Managed supply chains saw a 55% reduction of vulnerable components compared with unmanaged supply chains. Organizations with policies and best practices in place tended to use more recently updated components containing fewer known vulnerabilities.
Sonatype's study shows that development teams that actively manage their software supply chains, regularly update their open source dependencies, and employ automation of open source policies are statistically proven to lower their open source defect rates. Managed supply chains saw a 55% reduction of vulnerable components compared with unmanaged supply chains. Organizations with policies and best practices in place tended to use more recently updated components containing fewer known vulnerabilities.
Developers in enterprise environments — and at commercial software companies, for that matter — have learned that to deliver features swiftly, it's much more expedient not to reinvent the wheel with certain chunks of code. And so they increasingly build their software by mixing and matching open source software components within their code base to minimize their development time to coding the components that truly add value and differentiation to their applications.
This reliance on open source components greatly speeds up innovation but often comes at a high price: Many of these components available for download contain dangerous vulnerabilities. Some companies are better than others in establishing policies about how and when developers can use them, as well as at actively managing the components to track for flaws. The latest research shows that those that do it well can minimize the risks introduced by these components into their software while maximizing the gains.
"For organizations who tame their software supply chains through better supplier choices, component selection, and use of automation, the rewards are impressive," says Wayne Jackson, CEO of Sonatype, which last week released its "2019 State of the Software Supply Chain Report." This study, along with two others released in the past two months, paint a good picture of open source component risks and how organizations are mitigating them.
About the Author(s)
You May Also Like
CISO Perspectives: How to make AI an Accelerator, Not a Blocker
August 20, 2024Securing Your Cloud Assets
August 27, 2024