I just finished talking with Derek Weeks, V.P. and DevOps Advocate at Sonatype, a leader in software supply chain automation. They just announced 300 percent growth in the use of Nexus Repository over the past three years.
During this period, the number of active instances of Nexus Repository grew from 30,000 to 120,000 spurred by the introduction of Nexus Repository v3, universal support for component formats, and growing concern among enterprises about security vulnerabilities in open source components and containers.
Organizations that rely on the Nexus Repository to house open source software components and containerized applications have gained new visibility into the quality of components flowing through their software supply chains.
In 2016 alone, Nexus Repository saw a 40 percent increase in the use of its Repository Health Check feature. Today, 23,000 organizations utilize Repository Health Check every day to automatically analyze security, licensing, and architectural risks across 58 million components living inside local Nexus Repository Managers.
The popularity of open source software development continues to grow because it minimizes the need to code from scratch. However, as indicated in the most recent State of the Software Supply Chain Report, 1 in 15 open-source components used in production applications has at least one known security vulnerability. In order to eliminate security risks, improve quality, and accelerate innovation, DevOps-native organizations are beginning to automatically manage the quality of components being used to assemble software applications.
Gartner analysts Neil MacDonald and Ian Head wrote in Gartner’s September 2016 report, 'DevSecOps: How to Seamlessly Integrate Security into DevOps' that, “By 2019, more than 70% of enterprise DevOps initiatives will have incorporated automated security vulnerability and configuration scanning for open source components and commercial packages, up from less than 10% in 2016.”
“There is increasing evidence that more organizations are taking software supply chain automation and component security seriously,” said Wayne Jackson, CEO of Sonatype. “Specifically, DevOps-native organizations are embracing tools such as Nexus Repository and Nexus Firewall to automatically block bad components from entering into their mission-critical applications.”
Gartner analysts, Neil MacDonald and Ian Head echoed this sentiment in their DevSecOps report, writing, “The issue is that often developers (knowingly or unknowingly) download known vulnerable open source components and frameworks for use in their applications.”
A best practice recommended in the report is to “implement an ‘OSS firewall’ to proactively prevent developers from downloading known vulnerable code from Maven, GitHub, and other OSS code repositories by policy.” This policy is reiterated by the Department of Energy, the Department of Defense, and the American Banking Association, to name a few.