Sonatype released the report “The State of the Software Supply Chain in 2020” and pointed out that next-generation cyber attacks aimed at actively penetrating the open source software supply chain have surged 430%.
This is the sixth annual report on the state of the software supply chain released by Sonatype. This report analyzes more than 1.5 trillion open source download requests, 24,000 open source projects and 5,600 enterprise development teams. The report pointed out that in the past 12 months, it recorded a total of 929 next-generation software supply chain attacks. In contrast, there were only 216 such attacks recorded between February 2015 and June 2019.
In response, Sonatype CEO Wayne Jackson said, “After the infamous Equifax breach in 2017, companies have substantially increased their investment to prevent similar attacks on the open source software supply chain. Our research shows that commercial engineering teams The ability to deal with new zero-day vulnerabilities is improving. Therefore, when adversaries move their activities “upstream”, it is not surprising that next-generation supply chain attacks increase by 430%, because attackers can infect a single open source component. Components may be distributed “downstream” and used strategically and secretly.”
The study found that the response time of enterprise software development teams to vulnerabilities in open source software components is also different. Among them, 51% of organizations need more than a week to remedy new zero-day vulnerabilities. In addition, the report also pointed out that the high-performance development team is 26 times faster in detecting and fixing open source vulnerabilities, and the frequency of deploying code changes is 15 times higher than that of its peers. At the same time, they are 59% more likely to use automated software composition analysis (SCA), and they are also nearly 5 times more likely to successfully update dependencies and fix vulnerabilities without flaws.
Some other findings in the report include:
- By 2020, component download requests of all major open source ecosystems are expected to reach 1.5 trillion
- 10% of the Java OSS components downloaded by developers have known security vulnerabilities
- Among the open source components that developers build into their applications, 11% have known vulnerabilities, with an average of 38 vulnerabilities found
- 40% of npm packages contain dependencies with known vulnerabilities
- Within three days of public disclosure, the new open source zero-day vulnerability has been exploited
Full report address: https://www.sonatype.com/2020ssc