1 in 16 Java Components Have Security Defects

Sonatype just released it's 2nd annual State of the Software Supply Chain Report.  Over the past year, researchers amassed a great deal of data with respect to the staggering volume and variety of Java (as well as NuGet, RubyGems, npm) open source components flowing through software supply chains into development environments.  This year, the report assessed behaviors across 3,000 organizations and performed deep analysis on over 25,000 applications.

The results we discovered ranged from staggering to surprising to sobering.  For example, researchers measured organizations consuming an average of 229,000 components annually.  The good news is, these components help companies accelerate their development and innovation.  At the same time, we saw 6.8% of components used in applications marked with at least one known security vulnerability — adding high levels of security debt.  Not all components are created equal.

In the past year, Sonatype was far from the only organization pursuing the need for improved software supply chain practices.  The researchers studied the patterns and practices exhibited by high-performance organizations and documented how these innovators are utilizing the principles of software supply chain automation to manage the massive flow and variety of open source components.  These organizations are striving to consistently deliver higher quality applications for less, while lowering their risk profile. This year’s report profiles organizations across banking, insurance, defense, energy, technology, and government sectors.

The 2016 State of the Software Supply Chain Report blends public and proprietary data with expert research and analysis to reveal the following:

• Developers are gorging on an ever expanding supply of open source components.  Billions of open source components were downloaded in the last year.
• Vast networks of open source component suppliers are growing rapidly.  Over 1,000 new open source projects and 10,000 new versions of open source components are introduced daily.
• Massive variety and volume of software components vary widely in terms of quality.  1 in 16 parts include a known security defect.
• Top performing enterprises, federal regulators and industry associations have embraced the principles of software supply chain automation to improve the safety, quality, and security of software.

If you are developing with Java or other open source components, we invite you to read the report and leverage the insights to understand how your organization’s practices compare to others. 

If you would like to join a live discussion on this year's report, you can hear from the research team on Wednesday, July 13th. Save your seat here.