Combat vulnerabilities in open source code



Open source downloads are on track to reach 1.5 trillion in 2020, an all-time high. At the same time, the incidence of cyber attacks actively targeting open source software projects has increased by 430%. How are businesses responding to the deluge of vulnerabilities and what influences their success?

For the answers, we turned to Sonatype’s sixth annual State of the Software Supply Chain Report, which pulls public and private databases as well as survey data, offers unique insights into the state of open source security and how the proliferation of open source code has left the global supply chain at risk.

The main conclusions of the report are as follows:

  • Remote working doesn’t slow down software development: Despite the global impacts of COVID-19, 2020 is poised to see 1.5 trillion downloads of open source components and containers.

  • When building applications, development teams use an average of 135 software components, 90% of which are open source, an all-time high.

  • Open source code is increasingly a target: Globally, 2019 saw a 430% increase in next-generation cyber attacks actively targeting open source software projects.

The proliferation of open source code has put the global supply chain at risk. The task of dealing with open source software vulnerabilities falls on software engineers who now face a much heavier burden.

To shed light on how enterprise software development teams use open source components and the performance and risk management results they get, Sonatype’s open source and security research team collaborated with Dr Stephen Magill and Gene Kim to examine how high performing teams successfully demonstrate superior risk management. results while maintaining high levels of productivity.

Their conclusions can be summarized as follows:

[while] adversaries accelerate, speed is better for open source projects, and productivity does not have to come at the cost of reduced security in the company.

Responses from 679 people across a wide variety of verticals including banking, retail, healthcare, and government to a survey with 41 questions were analyzed using cluster analysis.

This revealed four distinct groups:

⊲ High performance: high productivity, excellent results in risk management (N = 151)

⊲ Poor performance: low productivity, poor results in risk management (N = 107)

⊲ Safety first: low productivity, excellent results in terms of risk management (N = 167)

⊲ Productivity first: high productivity, poor results in terms of risk management (N = 103)


The report presents results that show the top performers dramatically outperform the bottom performers in software delivery and security: they deploy more frequently, they detect and remediate vulnerable OSS components faster, integrate developers into new teams. faster and approve the use of new OSS components. faster. As a bonus, developers on high performance teams demonstrate higher levels of job satisfaction.


More information

State of the Software Supply Chain Report 2020 Presentation

State of the Software Supply Chain Report 2020 (email required for download)

Related Articles

Open source is no longer developing

Working from home: does it impact developer productivity?

Promote free software

What attracts developers to open source

Why participate in Open Source?

Why students participate in Summer of Code

Code borrowing and license violations

What eats your programming time

Promote free software

Programming for love or money

To be informed of new articles on I Programmer, subscribe to our weekly newsletter, subscribe to the RSS feed and follow us on Twitter, Facebook or Linkedin.




or send your comment to: [email protected]



Leave A Reply