Technology Report: 96% of vulnerable open source downloads are avoidable

Report: 96% of vulnerable open source downloads are avoidable


- Advertisment -

Watch the Low-Code/No-Code Summit on-demand sessions to learn how to successfully innovate and achieve efficiencies by upskilling and scaling citizen developers. Watch now.

As the industry’s reliance on open-source software has grown, so has the number of known attacks against the software supply chain, with a 742% increase over the past three years, according to from Sonatype eighth annual State of the Software Supply Chain Report. According to the report, 1.2 billion vulnerable dependencies are downloaded every month. Of these, 96% had a non-vulnerable option available. Consumer behavior, not open source managers, is often cited as a cause in public discussions.

One of the reasons behind this trend is the increase and evolution of software supply chain attacks. The report reveals a 633% year-over-year increase in malicious attacks targeting open source in public repositories – and an average annual increase of 742% in software supply chain attacks since 2019.

Image source: Sonatype.

While cybercriminals are nothing new, the frequency, severity and complexity of these malicious attacks are becoming a major concern for developers and organizations around the world. Developers are being asked to maintain a working knowledge of software quality, multiple open-source ecosystems, fluctuating regulations, and nearly 1,500 dependency changes per year, per application – all in the face of ever-evolving attacks.

So what can be done? Minimizing dependencies and maintaining short update times are critical factors in reducing the risk of transitive vulnerabilities – the most common source of security risks.


Intelligent security stop

On December 8, learn about the critical role of AI and ML in cybersecurity and industry-specific case studies. Register for your free pass today.

register now

However, reducing vulnerabilities is about more than project security: it also affects job satisfaction. In a survey of technical professionals, individuals from organizations with higher levels of maturity in the software supply chain were 2.7 times more likely to strongly agree with the statement, “I am satisfied with my work.”

Interestingly, there is a clear difference between the security measures that are taken and what the people in IT do think is happening. Sixty-eight percent of respondents were confident that their applications do not use vulnerable libraries. However, in a random scan of business applications, 68% had known vulnerabilities in their open-source software components.

IT managers were 2.4 times more likely than respondents working in information security to strongly agree with “We approach security troubleshooting as a regular part of development work.”

To innovate faster and grow at scale, organizations need to make it as easy as possible for developers to create secure, maintainable software, meaning smarter tools that provide greater insight into their systems and automate their processes.

Sonatype’s eighth annual State of the Software Supply Chain Report combines a broad range of public and proprietary data and analysis, including 131 billion Maven Central downloads, research results from 662 technical professionals, and the assessment of 85,000 enterprise applications.

Read the full report from Sonatype.

VentureBeat’s mission is to become a digital city plaza where tech decision makers can learn about transformative business technology and execute transactions. Discover our Briefings.

Shreya Christina
Shreya has been with for 3 years, writing copy for client websites, blog posts, EDMs and other mediums to engage readers and encourage action. By collaborating with clients, our SEO manager and the wider team, Shreya seeks to understand an audience before creating memorable, persuasive copy.


Please enter your comment!
Please enter your name here

Latest news

Today is the last day to move away from Twitter’s SMS 2FA method

As part of this change, Twitter will too turn off 2FA for your account in full if you don't...

10 tips for making hardware products risk-free

How to test and evaluate the demand for hardware products before starting the factory Creating real, tangible objects that you...

The demise of Silicon Valley Bank sharpens the spigot on $30 billion in venture capital

Startups borrowed so they wouldn't have to give up their equity. After the collapse of market leader SVB,...

How to understand trending commerce innovations

Join top executives in San Francisco on July 11-12 to hear how leaders are integrating and optimizing AI investments...
- Advertisement -

Google Pixel ‘aCropalypse’ exploit flips edited parts of screenshots

A security flaw affecting the Google Pixel's default screenshot editing tool, Markup, causes images to become partially "raw", potentially...

Emerging managers hope the new SVB offers the same support to new VCs

Before it crashed, Silicon Valley Bank was known to many startups and venture companies as the place to park...

Must read

- Advertisement -

You might also likeRELATED
Recommended to you