Thanks to Derek Weeks, V.P. and DevOps Advocate for Sonatype for sharing their second annual report on managing open source components to accelerate innovation. Following are the key findings of their research:
Developers are feasting on a massive supply of open source components. The use of open source and third party components is exploding. In 2015, 31 billion download requests were recorded from the Central Repository. The trend is accelerating; the previous year, over 17 billion download requests were registered - an 82% increase.
Supplier networks are growing rapidly. Components are delivered to organizations via software supply chains that operate with many parallels to traditional manufacturing supply chains. A vast network of component suppliers creates 1,000 new projects and delivers 10,000 new versions per day.
Not all component parts are equal. While parts are the fuel of software supply chains, they have two big weaknesses: (1) parts are not created equal, and (2) parts age and grow stale quickly. Last year, the average enterprise downloaded 229,000 opensource components. If properly sourced and managed, open source components are a tremendous source of energy for accelerating innovation. If not, they lead directly to security vulnerabilities, licensing risks, enormous rework, and waste. Our analysis of these downloads revealed that 6.1% (1-in-16) had a known security defect. Furthermore, data from 25,000 applications demonstrated that 6.8% of components in use had a known security defect. However, because a single component may contain multiple vulnerabilities, understand that an average application consisting of 106 components — of which 6.8% are known bad — could contain numerous unique vulnerabilities.
Software supply chain management practices are gaining traction. To counter the efects of massive component consumption, top performing development organizations embrace supply chain management best practices, including: (1) procure components from fewer and better suppliers, (2) procure only the best parts from those suppliers, and (3) continuously track and trace the precise location of every component. Furthermore, Federal regulators and industry associations like FDA, FTC, UL, and FS-ISAC are taking action to build awareness and establish guidelines for sound software supply chain management practices.
You can click here to download the entire report.