{"id":1825,"date":"2019-07-16T05:00:43","date_gmt":"2019-07-16T05:00:43","guid":{"rendered":"http:\/\/kusuaks7\/?p=1430"},"modified":"2023-09-20T11:13:48","modified_gmt":"2023-09-20T11:13:48","slug":"good-news-bad-news-in-new-open-source-software-report","status":"publish","type":"post","link":"https:\/\/www.experfy.com\/blog\/bigdata-cloud\/good-news-bad-news-in-new-open-source-software-report\/","title":{"rendered":"Good news, bad news in new open source software report"},"content":{"rendered":"<article>It is possible to manage your open source software supply chain to reduce the risk of vulnerabilities and breaches. The problem is, not everyone is following this advice, according to the\u00a0<a href=\"https:\/\/www.sonatype.com\/2019ssc\" target=\"_blank\" rel=\"noopener noreferrer\">2019 State of the Software Supply Chain Report<\/a>, which was released yesterday by DevOps automation firm Sonatype.<\/p>\n<p style=\"text-align: center;\">\n<p>While there has been a 71% increase in confirmed or suspected open source-related breaches since 2014, and 25% of organisations reported a confirmed or suspected open source-related breach in the past year, the news on the open source\u00a0security\u00a0front is not all bad.<\/p>\n<p>This is the fifth annual report on global open source software development and is based on what is arguably one of the largest\u00a0data\u00a0sources ever tapped for this kind of research: 36 000 open source project teams, 3.7 million open source component releases, 12 000 commercial engineering teams and two surveys with a combined participation of 6 200 development professionals.<\/p>\n<p style=\"text-align: center;\"><img decoding=\"async\" style=\"width: 700px; height: 327px;\" src=\"https:\/\/lh3.googleusercontent.com\/_KgUUD2Da1qcqyYOhaLjJRpDO7GkvLW7bolhKpi1Um3357zaXrjGc9PxdkDY3mNA5LAB_efXERBmc1nAVC4KHw=w816-h381-c\" alt=\"OSS component growth from 2017 \u00e2\u0080 2019 (Source: Sonatype\u00e2\u0080\u0099s 2019 State of the Software Supply Chain report)\" \/><\/p>\n<p style=\"text-align: center;\">OSS component growth from 2017 \u2013 2019 (Source: Sonatype\u2019s 2019 State of the Software Supply Chain report)<\/p>\n<p>The report clearly shows that the popularity of open source continues to rise exponentially. Demand for JavaScript, for example, is huge. In 2018, the average weekly npm package downloads rose from approximately 3.5 billion to 10 billion \u2013 an increase of 185%.<img decoding=\"async\" src=\"https:\/\/ad.itweb.co.za\/adlog.php?bannerid=42667&amp;clientid=15882&amp;zoneid=0&amp;source=&amp;block=0&amp;capping=0&amp;cb=920e9cb23cf9a9577a3788616d5ac048\" alt=\"\" width=\"0\" height=\"0\" \/><\/p>\n<p>However, popularity does not infer less vulnerability. The percentage of vulnerable Java components downloaded has increased substantially over the past four years, from 6.1% in 2015 to 12.1% in 2018. This dropped slightly to 10.3% in the current survey.<\/p>\n<p>The rise in overall open source-related breaches should be seen against the background of the massive growth in the use of open source components. According to the research, there has been 75% growth in the supply of open source component releases over the past two years, and 148-billlion download requests from the Central Repository alone in the past 12 months \u2013 a year-on-year increase of 68%.<\/p>\n<p>In addition, the research indicated a 55% reduction in the use of vulnerable open source components \u2013 but largely within managed software supply chains.<\/p>\n<p>The report highlighted the\u00a0benefits\u00a0of the managed approach and best practices adopted by what it terms `exemplary\u2019 open source software projects and commercial application development teams.<\/p>\n<p>According to Wayne Jackson, CEO of Sonatype, the tried and tested advice to organisations was to rely on the fewest open source component suppliers with the best track records in order to develop the highest quality and lowest risk software.<\/p>\n<p>\u201cFor organisations that tame their software supply chains through better supplier choices, component selection and use of automation, the rewards revealed in this year\u2019s report are impressive. Use of known vulnerable component releases was reduced by 55%,\u201d he said.<\/p>\n<blockquote><p>For organisations that tame their software supply chains through better supplier choices, component selection and use of automation, the rewards revealed in this year\u2019s report are impressive.<\/p><\/blockquote>\n<p>However, it appears that some open source component users are oblivious to all advice and warnings. A shocking finding in the report was that despite the publicity and warnings relating to Apache Struts, which was responsible for the infamous breach at Equifax in 2017, these warnings have been widely ignored. Sonatype\u2019s analysis of Struts downloads from the Central Repository revealed that the volume of monthly vulnerable downloads continued to rise; just one year after the breach, Struts downloads increased 11% to 2.1 million, and it has not slowed since.<\/p>\n<\/article>\n","protected":false},"excerpt":{"rendered":"<p>The popularity of open source continues to rise exponentially. Demand for JavaScript, for example, is huge. However, popularity does not infer less vulnerability. The percentage of vulnerable Java components downloaded has increased substantially over the past four years. The rise in overall open source-related breaches should be seen against the background of the massive growth in the use of open source components. &nbsp;It appears that some open source component users are oblivious to all advice and warnings.&nbsp;<\/p>\n","protected":false},"author":544,"featured_media":3328,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[187],"tags":[95],"ppma_author":[3207],"class_list":["post-1825","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bigdata-cloud","tag-big-data-amp-technology"],"authors":[{"term_id":3207,"user_id":544,"is_guest":0,"slug":"marilyn-de-villiers","display_name":"Marilyn Villiers","avatar_url":"https:\/\/secure.gravatar.com\/avatar\/?s=96&d=mm&r=g","user_url":"","last_name":"Villiers","first_name":"Marilyn","job_title":"","description":"Marilyn de Villiers&nbsp;is a Freelance writer and editor."}],"_links":{"self":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1825","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/users\/544"}],"replies":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/comments?post=1825"}],"version-history":[{"count":2,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1825\/revisions"}],"predecessor-version":[{"id":29117,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/posts\/1825\/revisions\/29117"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media\/3328"}],"wp:attachment":[{"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/media?parent=1825"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/categories?post=1825"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/tags?post=1825"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.experfy.com\/blog\/wp-json\/wp\/v2\/ppma_author?post=1825"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}