The root cause of open-source risk

2023 saw twice as many software supply chain attacks as 2019-2022 combined. Sonatype logged 245,032 malicious packages in 2023. One in eight open-source downloads today poses known and avoidable risks.

Vulnerabilities can still be prevented

Nearly all (96%) vulnerabilities are still avoidable. 2.1 billion OSS downloads with known vulnerabilities in 2023 could have been avoided because a better, fixed version was available – the exact same percentage as in 2022. For every non-optimal component upgrade made, there are typically 10 superior versions available.

Only 11% of open-source projects are ‘actively maintained’. Sonatype analyzed 1,176,407 open-source projects across four major ecosystems. The finding demonstrates the importance of constant vigilance from consumers in tracking the health of dependencies over time.

Suboptimal open-source consumption habits are the root cause of open-source risk, contrary to public discourse often linking security risk with open-source maintainers. Maintainers, on average, promptly address and resolve issues.

“A lot of maintainers are very diligent – Big Tech companies go out of their way to hire talented people to maintain libraries they rely on,” says Brian Fox, CTO at Sonatype. “Our industry needs to direct its efforts towards the right place. The fact that there’s been a fix for almost all downloads of components with a known vulnerability tells us an immediate focus should be supporting developers on becoming better decision-makers and giving them access to the right tools. The goal is to help developers be more intentional about downloading open-source software from projects with the most maintainers and the healthiest ecosystem of contributors. This will not only create safer software but also recoup nearly 2 weeks of wasted developer time each year.”

Disconnect between perceived security and reality

Amidst rising software supply chain attacks, there’s also a continued disconnect between perceived security and reality in software development:

Organizations think their software supply chains are under control: 67% of respondents feel confident that their applications do not rely on known vulnerable libraries. Yet, nearly 10% of respondents reported their organizations had security breaches due to open-source vulnerabilities in the last 12 months.

Awareness and mitigation of open-source vulnerabilities lacks urgency in many organizations: The report found that 39% of organizations discover vulnerabilities within one to seven days; 29% take over a week to become aware and 28% discover within one day; When it comes to mitigation, 36.2% of respondents require over a week to mitigate vulnerabilities.

Developers play a pivotal role in driving progress

Open-source projects that are consistently maintained outperformed their counterparts on critical software security best practices. Compared to less-maintained libraries, consistently maintained projects tend to score:

• 5.9x higher on SAST
• 5.4x higher on Signed Releases
• 5.1x higher on Dependency Update Tools
• 3.6x higher on Code Review
• 3.8x higher on Branch Protection

Optimal dependency management saves time, money, and decreases security risk: Combined with optimal upgrades, a 25% reduction in false positives over the course of a year saves you twice as much time in solving component upgrades and high-risk vulnerability production.

“Impactful change necessitates clear direction,” adds Fox. “For both better and worse, today’s software organizations face an overwhelming amount of options for addressing these issues – from a multitude of frameworks to weekly governmental guidance, and more. All that choice is ripe to create paralysis, making it hard to get started.”

Improving efficiency and security posture

Amid the spike in software supply chain vulnerabilities, there are signs of developers taking measures to improve efficiencies and security posture. The report shows the use of AI/ML components in software development surging by 135% in less than a year, largely owing to the massive efficiencies the technology affords software developers, in addition to how quickly AI/ML components can be integrated into software development workflows. That said, developers and organizations face significant challenges in developing their own AI products.

“Choosing the right AI/ML tools is really difficult – there are hundreds of thousands of options, and the burden of choosing those tools falls on data scientists,” says Stephen MaGill, Vice President of Product Innovation at Sonatype. “AI/ML also comes with tons of new security and licensing concerns, not to mention huge costs for implementing paid services. And since a significant portion of LLM models are open-source, that means all the inherent security concerns linked to open-source will matter for AI, too.”