Sonatype Outlines Software Supply Chain Challenges
July 17, 2017
has released its third annual State of the Software Supply Chain Report.
This year’s report highlights risks lurking within open source software
components and quantifies the empirical benefits of actively managing
software supply chain hygiene.
Conversely, organizations failing to manage software supply chains are unwittingly releasing vulnerable applications into production, wasting thousands of hours on rework and bug fixes, and facing increased liability due to gross negligence.
Wayne Jackson, CEO of Sonatype said,
“Companies are no longer building software applications from scratch,
they are manufacturing them as fast as they can using an infinite supply
of open source component parts. However, many still rely on manual and
time consuming governance and security practices instead of embracing
DevOps-native automation. Our research continues to show that
development teams managing trusted software supply chains are
dramatically improving quality and productivity.”
• Faced with a near infinite supply
of open source components, high-functioning DevOps organizations are
utilizing machine automation to govern the quality of open source
components flowing through their software supply chains.
• Even when vulnerabilities are known, OSS projects are slow to remediate - if they do so at all. Only 15.8 percent of OSS projects actively fix vulnerabilities, and even then the mean time to remediation was 233 days.
• This puts the onus on DevOps
organizations to actively govern which OSS projects they work with, and
which components they ultimately consume.
• Although this defect download ratio
is far from perfect, there is empirical evidence that hygiene is
beginning to improve with ratios declining slightly in each of the last
• In the past year in the United States, the White House, four federal agencies, and the automotive industry have released new guidelines to improve the quality, safety, and security of software supply chains.