Virtually all vulnerable open source downloads are avoidable

Open source consumers are downloading about 1.2 billion known vulnerable Java dependencies every month, and whether out of lack of attention, ignorance, stress and overwork or something else, 96% of these at-risk downloads could have been avoided because an updated version or mitigation was available.

That is according to the eighth annual State of the software supply chain report produced by supply chain management specialist Sonatype, released on 18 October at the DevOps Enterprise Summit in Las Vegas, Nevada.

Sonatype’s latest report painted a stark picture of the state of security in the open source community, pointing to what it diplomatically termed “non-optimal” consumption behaviours as lying at the root of pretty much all open source risk.

This is in complete contrast to much public discussion on the issue, which frequently associates risk with those tasked with maintaining open source resources. On the contrary, said Sonatype, maintainers tend to do an above-average job and are generally efficient at delivering fixes.

“This astonishing finding highlights how critical it is for engineering teams to continue education on open source risk and embrace intelligent automation to support their efforts,” said Brian Fox, CTO and co-founder of Sonatype.

“Humans are fallible, and the overwhelming tide of dependency intelligence that developers must interpret in their daily development process is at odds with prioritising good software quality.

“The good news is, this year’s report also shows that ‘optimal’ dependency management is possible. Further, despite the continued attention on trying to ‘fix open source’, the data shows that open source consumers can make changes immediately that will have a profound impact on their ability to remediate and respond to the next event.”

Sonatype’s findings, which are based on data and analysis of over 131 billion Maven Central downloads, thousands of open source projects, a survey of engineering pros, and assessment of 85,000 enterprise applications, come at the tail-end of a year that has seen the security of open source development practices shoot up the agenda as a key vector in supply chain attacks.

Just this week, attention was drawn to a new vulnerability in Apache Commons Text, which could put a great many users at risk.

Sonatype said it had observed a 633% year-on-year increase in malicious attacks aimed at open source in public repositories, equating to a 742% average yearly increase in software supply chain attacks in the past three years.

Among some of the report’s other findings were some concerning gaps between perception and reality. For example, organisations tend to think they have their software supply chains under control, but while 68% claimed their applications were not using known vulnerable libraries, a random sample of enterprise applications found that 68% contained known vulnerabilities.

Managers in particular tended to overstate their organisation’s maturity when it came to managing open source effectively, while developer responsibilities continued to pile on, with the average Java application now containing 148 dependencies to keep an eye on, up 20 from last year. With the average Java project updating about 10 times a year, this means some developers are being forced to track intelligence on 1,500 dependency changes a year per application.

It also noted that developers at organisations demonstrating higher levels of supply chain maturity – for example those using automated solutions – were nearly three times more likely to report higher levels of job satisfaction.

“This year’s State of the software supply chain report demonstrates how open source and software development is ever-evolving, and the imperative need to evolve with it,” said Fox.

“Our research shows that the number of dependencies per open source project is growing, and that these dependencies are a critical driver of risk. Immature organisations expect their developers to stay on top of licence compliance concerns, multiple project releases, dependency changes, and open source ecosystem knowledge along with their regular job responsibilities. This is in addition to external pressures, like speed.

“It comes as no surprise that job satisfaction is heavily linked to the software supply chain practices maturity. This sobering reality demonstrates the immediate need for organisations to prioritise software supply management, so they can better deal with security risk, increase developer efficiency, and enable faster innovation.”

Leave a Reply

Your email address will not be published. Required fields are marked *