Open Source Software Supply Chain Attacks Triple, Calls for Better Practices Highlighted

A recent report by Sonatype reveals that open-source software (OSS) supply chain attacks have tripled, emphasizing the need for improved practices and vigilance. The 9th Annual State of the Software Supply Chain Report presents alarming trends in open-source software (OSS) and software supply chain security, highlighting the importance of better tools and practices for developers to save time and money. Key findings in the report include:

1. Surge in Supply Chain Attacks: In 2023, there were twice as many software supply chain attacks as in the years 2019-2022 combined. Sonatype recorded 245,032 malicious packages in 2023, indicating the rising threat.
2. Vulnerabilities are Avoidable: A staggering 96% of vulnerabilities in open source software were avoidable, meaning they could have been mitigated by using better, fixed versions that were available. This percentage remained unchanged from the previous year, signifying the persistence of the issue.
3. Decline in Actively Maintained Open Source Projects: The report found that only 11% of open source projects were 'actively maintained,' marking an 18% decline in such projects. The drop underscores the importance of constant vigilance in tracking dependencies over time.

The report reinforces that suboptimal consumption behaviors are a significant cause of open source risk, shifting the focus away from maintainers as the primary security concern. The data indicates that maintainers often promptly address and resolve issues.

Brian Fox, CTO at Sonatype, stressed the need for directing efforts towards helping developers become better decision-makers and providing them with the right tools. He emphasized that prioritizing downloads from projects with more maintainers and a healthy ecosystem of contributors would create safer software and save nearly two weeks of wasted developer time each year.

Despite rising software supply chain attacks, there's a disconnect between perceived security and reality in software development:

• 67% of organizations felt confident in their control over software supply chains.
• However, nearly 10% reported security breaches due to open source vulnerabilities in the past year.

Awareness and mitigation of open source vulnerabilities remain less urgent for many organizations. The report showed that 39% of organizations took one to seven days to discover vulnerabilities, while 36.2% needed over a week to mitigate them.

Developer productivity is closely tied to access to superior tools and high-quality open source components. The report highlights that open source projects with consistent maintenance perform significantly better on critical software security best practices. Optimal dependency management saves time, money, and reduces security risk, with teams making optimal upgrade decisions saving 1.5 months of time per application per year.

The report also noted a surge in the use of AI/ML components in software development, which increased by 135% in less than a year. AI/ML components offer significant efficiency improvements, although they come with their own challenges, including managing open source security risk and uncertainties around licensing.

Sonatype's report underlines the urgent need for better practices, tools, and awareness to secure the open source software supply chain in a rapidly evolving technological landscape.