Watch the Low-Code/No-Code Summit on-demand sessions to learn how to successfully innovate and achieve efficiencies by upskilling and scaling citizen developers. Watch now.
As the industry’s reliance on open-source software has grown, so has the number of known attacks against the software supply chain, with a 742% increase over the past three years, according to from Sonatype eighth annual State of the Software Supply Chain Report. According to the report, 1.2 billion vulnerable dependencies are downloaded every month. Of these, 96% had a non-vulnerable option available. Consumer behavior, not open source managers, is often cited as a cause in public discussions.
One of the reasons behind this trend is the increase and evolution of software supply chain attacks. The report reveals a 633% year-over-year increase in malicious attacks targeting open source in public repositories – and an average annual increase of 742% in software supply chain attacks since 2019.
While cybercriminals are nothing new, the frequency, severity and complexity of these malicious attacks are becoming a major concern for developers and organizations around the world. Developers are being asked to maintain a working knowledge of software quality, multiple open-source ecosystems, fluctuating regulations, and nearly 1,500 dependency changes per year, per application – all in the face of ever-evolving attacks.
So what can be done? Minimizing dependencies and maintaining short update times are critical factors in reducing the risk of transitive vulnerabilities – the most common source of security risks.
However, reducing vulnerabilities is about more than project security: it also affects job satisfaction. In a survey of technical professionals, individuals from organizations with higher levels of maturity in the software supply chain were 2.7 times more likely to strongly agree with the statement, “I am satisfied with my work.”
Interestingly, there is a clear difference between the security measures that are taken and what the people in IT do think is happening. Sixty-eight percent of respondents were confident that their applications do not use vulnerable libraries. However, in a random scan of business applications, 68% had known vulnerabilities in their open-source software components.
IT managers were 2.4 times more likely than respondents working in information security to strongly agree with “We approach security troubleshooting as a regular part of development work.”
To innovate faster and grow at scale, organizations need to make it as easy as possible for developers to create secure, maintainable software, meaning smarter tools that provide greater insight into their systems and automate their processes.
Sonatype’s eighth annual State of the Software Supply Chain Report combines a broad range of public and proprietary data and analysis, including 131 billion Maven Central downloads, research results from 662 technical professionals, and the assessment of 85,000 enterprise applications.
Read the full report from Sonatype.
VentureBeat’s mission is to become a digital city plaza where tech decision makers can learn about transformative business technology and execute transactions. Discover our Briefings.