Content, Content

Supply Chain Report: Most Known-Vulnerable Open Source Downloads Are Avoidable

Credit: Getty Images

Nearly all open source Java downloads with known vulnerabilities could have been avoided had users opted for a better, newer version, a new study by supply chain management firm Sonatype found.

Amid a “massive” surge in open source supply, demand and malicious cyberattacks, users could have skirted 96% of cyber issues had they not ignored an updated version of the software, the study, entitled the 8th Annual State of the Software Supply Chain, suggested.

MSPs Take Note

The Sonatype report is particularly important for managed security service (MSPs) providers in that supply chain attacks have become a frequent target for hackers. According to the report, 1.2 billion known-vulnerable dependencies (code libraries) that could be avoided are downloaded every month.

Commenting on the report, Brian Fox, Sonatype co-founder and chief technology officer, said:

“Humans are fallible, and the overwhelming tide of dependency intelligence that developers must interpret in their daily development process is at odds with prioritizing good software quality. Despite the continued attention on trying to ‘fix open source,’ the data shows that open source consumers can make changes immediately that will have a profound impact on their ability to remediate and respond to the next event.”

With more open source being consumed than ever before, attacks targeting the software supply chain have increased as well, both in frequency and complexity, Sonatype said. According to the report, there was a 633% year over year increase in malicious attacks aimed at open source in public repositories. That amounted to a 742% average yearly increase in software supply chain attacks since 2019.

A Closer Look at the Report

Some of the study’s key findings include:

  • Open source demand continues to grow. Despite what self-reporting says, global open source consumption will surge to an estimated 3.1 trillion total requests.
  • Know what open source your open source is using. Transitive dependencies account for six out of every seven vulnerabilities affecting open source projects.
  • Current quality metrics can’t predict the caliber of an open source project. A new type of score, The Sonatype Safety Rating, uses machine learning alongside metrics to make a very accurate determination.
  • Developer responsibilities managing third party dependencies are huge. The average Java application contains 148 dependencies (20 more than last year), and the average Java project updates 10 times a year, meaning developers are tasked with tracking intelligence on nearly 1,500 dependency changes per year, per application they work on.
  • Automating software supply chain management saves time, money, and creates happier employees. Software practitioners with higher levels of supply chain maturity correlated with being 2.7 times more likely to report a high level of job satisfaction.
  • Organizations think they have their software supply chains under control, but the data disagrees. Sixty-eight percent of survey respondents were confident that their applications are not using known vulnerable libraries, but in a random sample of enterprise applications, 68% contained known vulnerabilities.
  • Managers are overly optimistic about managing open source. The survey showed an ongoing bias, in which managers report higher stages of maturity compared to what is reported by other roles.

Fox added context to the survey results:

“It comes as no surprise that job satisfaction is heavily linked to the software supply chain practices maturity. This sobering reality demonstrates the immediate need for organizations to prioritize software supply management so that they can better deal with security risk, increase developer efficiency, and enable faster innovation.”

Sonatype’s report includes dependency update patterns for more than 131 billion Maven Central (repository) downloads and thousands of open source projects, survey results from 662 engineering professionals, and the assessment of 185,000 key enterprise applications.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.