Beating Vulnerabilities in Open Source Code
Written by Sue Gee   
Monday, 31 August 2020

Open source downloads are on course to reach 1.5 trillion in 2020, an all-time high. At the same time the incidence of cyber attacks actively targeting open source software projects has increased by 430%. How do enterprise respond to the deluge of vulnerabilities and what influences their success?

For the answers we turned to Sonatype’s sixth annual State of the Software Supply Chain Report, which pulls from public and private databases as well as survey data, offers unique insights on the state of open source security and how the proliferation of open source code has left the global supply chain at risk.

Key findings from the report are:

sonat1

  • Remote work isn’t slowing down software development: Despite the global impacts of COVID-19, 2020 is on pace to see 1.5 trillion downloads of open source components and containers.

  • When building applications, development teams use an average of 135 software components, of which 90% are open source – an all-time high.

  • Open source code has increasingly become a target: Globally, 2019 brought a 430% increase in next-generation cyber attacks actively targeting open source software projects.

The proliferation of open source code has left the global supply chain at risk. The task of dealing with OSS vulnerabilities falls to  software engineers who now face a much heavier burden. 

To shed light on way enterprise software development teams utilize open source components and the performance and risk management outcomes they achieve, Sonatype’s open source and security research team collaborated with Dr. Stephen Magill and Gene Kim to examine how high performing teams successfully demonstrate superior risk management outcomes while maintaining high levels of productivity.

Their findings are summed up as:

[while] adversaries are accelerating, faster is better for open source projects, and productivity does not have to come at the cost of reduced security in the enterprise.

The responses of 679 individuals across a wide variety of industry verticals, including Banking, Retail, Healthcare, and Government to a survey with 41 questions were analyzed using cluster analysis.

This revealed four distinct groups:

⊲ High Performers: high productivity, great risk management outcomes (N=151)

⊲ Low Performers: low productivity, poor risk management outcomes (N=107)

⊲ Security First: low productivity, great risk management outcomes (N=167)

⊲ Productivity First: high productivity, poor risk management outcomes (N=103) 

ssscprodrisk

The report presents results that indicate that High Performers significantly outperform the low performers in software delivery and security —  they deploy more frequently, they detect and remediate vulnerable OSS components more quickly, onboard developers onto new teams more quickly, and approve new OSS components for use more quickly. As a final bonus developers in High Performance teams demonstrate higher levels of job satisfaction.

sonat2

 

More Information

Introducing the 2020 State of the Software Supply Chain Report

2020 State of the Software Supply Chain Report (e-mail required to download)

Related Articles

Open Source Is Not Growing Anymore

Working At Home: Does It Impact Developer Productivity?

Promoting Open Source Software

What Attracts Devs To Open Source

Why Take Part In Open Source?

Why Students Participate in Summer of Code

Code Borrowing and Licence Violations

What Eats Your Programming Time

Promoting Open Source Software

Programming For Love or Money

To be informed about new articles on I Programmer, sign up for our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.

 

Banner


Mojo - Python Superset For Go-Faster Hardware
07/10/2024

Mojo, the new language from Chris Lattner and his AI-focused company Modular, has entered the top 50 of the TIOBE index, even though it it was only launched in 2023.



Microsoft Introduces Unified .NET API For AI
14/10/2024

Microsoft has introduced new libraries for integrating AI services into .NET applications and libraries, along with middleware for adding key capabilities.


More News

espbook

 

Comments




or email your comment to: comments@i-programmer.info

 

Last Updated ( Monday, 31 August 2020 )