New Report Shows Healthy Growth in Open Source Usage, but Security is Not Locked Down

by Ostatic Staff - Jul. 12, 2016

Sonatype is out with its 2016 State of the Software Supply Chain report, and a related Software Supply Chain infographic. The report is notable in that it is based on 31 billion download requests of open source software components from a Central Repository managed by Sonatype. It sheds light on the software supply chain practices from 3,000 development organizations and also includes software component analysis of 25,000 applications.

Here are some of the top findings, providing a glimpse into open source software practices, and some warnings about security.

Key findings from the report point to substantial growth in the open source ecosystem:

The number of open source component download requests increased dramatically to 31 billion in 2015 from 17 billion in 2014, an 82 percent increase year-over-year.

10,000 new component versions are introduced daily across development ecosystems.

Enterprises download more than 229,000 components annually, but, on average only 5,000 component downloads are unique.

Open source components vary widely in terms of quality and 6.1 percent of downloads (1-in-16 components) include a known security defect.

 Security, of course, has long been scrutinized across the open source ecosystem. In fact, the Cloud Security Alliance has put together a report released in February that delves into the prevalance of data breaches, data loss, insecure APIs and other points of concern, with much of the data pertinent to open cloud platforms.

Sonatype's report also found:

Data from 25,000 applications demonstrates that 6.8 percent of components in use had at least one known security defect, revealing that downloads of poor quality components are making their way into production.

Parts age and grow stale quickly. Older components (age 3+ years) used in applications are disproportionately less healthy and are three times more likely to contain vulnerabilities.

 Sonatype concludes that organizations are not doing enough to streamline their software supply chain and protect against security threats.

“By failing to effectively manage their software supply chain, we have found that software development organizations are taking on significant technical debt that is completely avoidable. Hours invested managing service interruptions and security breaches could otherwise be spent adding value for their companies and customers,” said Wayne Jackson, CEO, Sonatype. “Through our research, we have found that high performance development organizations are accelerating software innovation, quality, and security by embracing the principles of supply chain management – including using fewer and better suppliers, using only the highest quality parts, and tracking the precise location of every component part used inside their software.”

“Open source and third-party commercial components enable organizations to deliver quickly by reducing the amount of code they have to write. Just as manufacturers have learned they have to monitor and manage their suppliers, application development and delivery pros are learning that they have to manage increasingly complex supply chains,” wrote analysts Kurt Bittner, Diego Lo Giudice, and Amy DeMartine in the March 2016 Forrester report entitled Boost Application Delivery Speed And Quality With Agile DevOps Practices. “Every component brings benefits as well as risks, and you must manage those risks by selecting the best components and suppliers and by making sure delivery teams use only the latest, most secure versions of selected components.”