Report: 96% of vulnerable open-source downloads are avoidable

Report: 96% of vulnerable open-source downloads are avoidable

Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.

As the industry’s reliance on open-source software has increased, so has the number of known software supply chain attacks, with a 742% increase over the last three years, according to Sonatype’s eighth annual State of the Software Supply Chain Report. 1.2 billion vulnerable dependencies are downloaded each month, according to the report. Of these, 96% had a non-vulnerable option available. Consumer behavior, not open-source maintainers, are often cited in public discussions as the cause. 

One reason behind this trend is the increase and evolution of software supply chain attacks. The report reveals a 633% year-over-year increase in malicious attacks aimed at open source in public repositories – and an average 742% yearly increase in software supply chain attacks since 2019. 

Image source: Sonatype.

While cybercriminals are nothing new, the frequency, severity and sophistication of these malicious attacks are becoming a major issue plaguing developers and organizations around the world. Developers are being asked to maintain a working knowledge of software quality, multiple open-source ecosystems, fluctuating regulations and almost 1,500 dependency changes per year, per application – all in the face of continually-evolving attacks. 

So what can be done? Minimizing dependencies and maintaining low update times are critical factors for reducing the risk of transitive vulnerabilities — the most common source of security risk. 


Intelligent Security Summit

Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.

Register Now

Curbing vulnerabilities is about more than the security of projects, though: it affects job satisfaction, too. In a survey of engineering professionals, individuals from organizations with higher levels of software supply chain maturity were 2.7 times more likely to strongly agree with the statement, “I am satisfied with my job.” 

Interestingly, there’s a clear disconnect between security measures taking place and what people in IT think is happening. Sixty-eight percent of respondents were confident their applications are not using vulnerable libraries. However, in a random scan of enterprise applications, 68% had known vulnerabilities in their open-source software components.

IT managers were 2.4 times more likely than respondents working in information security to strongly agree with “We address remediation of security issues as a regular part of development work.” 

To innovate faster and grow at scale, organizations need to make it as easy as possible for developers to create secure, maintainable software, which includes giving them smarter tools that provide more visibility into their systems and automate their processes. 

Sonatype’s eighth annual State of the Software Supply Chain Report blends a broad set of public and proprietary data and analysis, including 131 billion Maven Central downloads, survey results from 662 engineering professionals, and the assessment of 85,000 enterprise applications. 

Read the full report from Sonatype.

VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.

Leave a Reply