A Sonatype survey also found a 650% year-over-year increase in supply chain attacks targeting upstream public repositories.
Sonatype’s seventh annual State of the Software Supply Chain Report revealed that developers believe software management practices are in much better shape than field conditions indicate.
The analysis found that the majority of respondents use an ad hoc approach to software supply chain management for most parts of the process except remediation and inventory. Respondents seem to correct risky components and understand where the risks lie in the supply chain, even though they have an informal approach to the build and release and risk management processes.
The report showed a clear disconnect between what is really going on and what people think: “Respondents persuaded themselves to believe that they are doing a good job, leading at least to a false sense of security and at worst to huge inefficiencies. in the engineering process. ”
The report also found a 650% year-over-year increase in supply chain attacks targeting upstream public repositories. There were 216 software supply chain attacks from February 2015 to June 2019. From July 2019 to May 2020, that number increased to 929 attacks, according to the report.
SEE: Open source developers say securing their code is an overwhelming waste of time
Matt Howard, executive vice president of Sonatype, said in a press release that the report reinforces the fact that open source is both an essential fuel for digital innovation and a ripe target for chain attacks. software procurement.
“As developer demand for open source continues to grow exponentially, our research shows for the first time just how little use is in the overall supply,” he said. “Additionally, we now know that popular projects contain a lot more vulnerabilities.”
Additionally, the analysis found that 29% of popular open source projects contain at least one known security vulnerability, compared to only 6.5% of less popular OSS projects. And, despite the millions of open source projects available, only 6% are used regularly.
The most common types of attacks on the software supply chain in the past year were:
- Dependency / Namespace Confusion: A malicious actor publishes a malicious package using the exact same name as a legitimate proprietary package to a public repository that does not regulate namespace identity.
- Typosquatting: This indirect attack takes advantage of misspellings and typos to trick developers into installing a malicious component that is believed to be real.
- Malicious Source Code Injections: This type of attack has declined in frequency over the past year and involved injecting malicious source code directly into the repository of an open source project.
How to Reduce OSS Software Supply Chain Risks
To minimize the risks associated with vulnerabilities in third-party open source libraries, Sonatype analysts recommend that software development teams adopt defined criteria to select open source projects and look for projects with low average update time. .
This metric provides visibility into the dependency management practices of an open source project and shorter time is preferable. According to the report, “Projects that consistently respond quickly to dependency upgrades in their downstream dependency chain will have a low MTTU. Projects that consistently react slowly or have a high variation in their reaction time will have a higher MTTU. Previous research from Sonatype has also suggested that MTTU is correlated with mean time to remediation.
Measure supply chain practices and engineering results
In addition to assessing the state of open source security, the Sonatype report also examined how the reality of supply chain management compares to best practices. The researchers also surveyed 702 software engineers to measure the state of software supply chain management with open source software. The survey aimed to develop a set of references.
Sonatype analysts measured survey responses against these eight elements of software supply chain management practices:
- Application inventory: What apps do you run and what open source components do they include?
- Supplier hygiene: Are the OSS components from a trusted vendor?
- Build and publish: Do you understand how software components fit together to build and launch production applications?
- Project consumption: Do you manage the selection of OSS components?
- Give back: Are you contributing to the open source community?
- Policy control: What is your tolerance for risk?
- : What is your execution plan for implementing new processes and tools?
- Correction : How do you correct the risks identified in the OSS components?
The responses were scored and then mapped to one of the five stages of software supply chain management maturity:
- Not managed : An “anything goes” mindset with a minimum of supervision.
- Exploration: A process of identifying perceived problems and starting to find solutions.
- Ad hoc: The start of the definition and selection of new tools and processes.
- Control: A more formalized governance process is starting to take hold.
- Monitor and measure: A phase of proactive risk management related to OSS components.
The majority of responses were noted during the ad hoc phase or earlier. Combining these findings with objective analysis from other chapters in the report revealed the disconnect between how software development teams think they are doing and what is actually going on. According to the report, “Development teams don’t follow structured guidelines and don’t have smart tools to ensure quality results. Reconciling this perception with reality will help organizations achieve the promised efficiencies in addiction management ”.