Sonatype report highlights rising threats in open source
The latest report from Sonatype highlights key trends and risks associated with the burgeoning use of open source software in the modern development landscape.
Sonatype's 10th Annual State of the Software Supply Chain report has found that open source components now account for 90% of modern software, with consumption estimated at 6.6 trillion downloads. This represents the largest annual increase to date.
The report reveals a significant increase in security threats, noting a 156% surge in malicious open-source packages over the past year. It states that while 6.9 million open-source components were published in the last 12 months, a mere 60,813 Software Bill of Materials (SBOMs) were made available, highlighting a gap in monitoring and documentation.
Brian Fox, Chief Technology Officer and Co-Founder at Sonatype, commented on the evolving landscape: "Over the last decade, we've seen software supply chain attacks increase in sophistication and frequency, particularly with the rise of open source malware, while publishers and consumers have remained relatively stagnant when it comes to security."
Fox stressed the necessity of proactive measures, saying, "In order to ensure a vibrant and secure open source ecosystem for the decade ahead, we must build a foundation of proactive security with vigilance against open source malware, decreased consumer complacency, and comprehensive dependency management."
The report identifies a lag in the remediation of vulnerabilities, with some critical issues taking over 500 days to be addressed. It finds that despite 99% of packages having newer versions available, 80% of application dependencies remain unpatched for over a year. Furthermore, 95% of the time, when vulnerable components are used, a fixed version is already available, indicating a lapse in update practices.
Data indicates a stark increase in open source consumptions, such as Python's PyPI, which saw an 80% rise in consumption, and JavaScript's npm, which witnessed a 70% uptick. This reflects growing reliance on open source software in different programming environments.
The report underscores the benefits of supporting open source projects with paid support, noting that such projects are almost three times more likely to possess comprehensive security policies. Those with paid support reportedly address vulnerabilities 45% faster and show fewer vulnerabilities overall.
Regulatory changes are in motion globally, with new policies encouraging the adoption of SBOMs, such as the Network and Information Systems Directive (NIS2) in the European Union. Similar regulatory approaches are anticipated in India and Australia.
Sonatype's study utilised both public and proprietary data, analysing over 1.7 trillion requests from Maven Central and reviewing the operational supply, demand, and security trends across major software ecosystems including Java, JavaScript, Python, and .Net.