Software supply chain report focuses on open source impact

By actively governing the flow of open source components organizations are improving application quality and developer productivity.

  • 6 years ago Posted in
Sonatype has released its third annual State of the Software Supply Chain Report. This year’s report highlights risks lurking within open source software components and quantifies the empirical benefits of actively managing software supply chain hygiene.
 
Organizations that are actively managing the quality of open source components flowing into production applications are realizing a 28 percent improvement in developer productivity, a 30 percent reduction in overall development costs, and a 48 percent increase in application quality. Furthermore, analysis of more than 17,000 applications reveals that applications built by teams utilizing automated governance tools reduced the percentage of defective components by 63%.
 
Conversely, organizations failing to manage software supply chains are unwittingly releasing vulnerable applications into production, wasting thousands of hours on rework and bug fixes, and facing increased liability due to gross negligence.
 
Additional key findings of the 2017 State of the Software Supply Chain report include:
 
Consumption of open source components is growing on a massive scale
  • Year-over-year downloads of Java components grew 68 percent (52 billion in 2016), JavaScript downloads grew 262 percent (59 billion in 2016), and demand for Docker components is expected to grow 100 percent (12 billion downloads).
  • Faced with a near infinite supply of open source components, high-functioning DevOps organizations are utilizing machine automation to govern the quality of open source components flowing through their software supply chains.
 
Open source component suppliers remain slow to fix vulnerabilities
  • Even when vulnerabilities are known, OSS projects are slow to remediate - if they do so at all. Only 15.8 percent of OSS projects actively fix vulnerabilities, and even then the mean time to remediation was 233 days.
  • This puts the onus on DevOps organizations to actively govern which OSS projects they work with, and which components they ultimately consume.
 
Number of downloaded components with known vulnerabilities is slightly decreasing
  • In 2016, the percent of Java components downloaded from the Central Repository that contained known security vulnerabilities fell to 5.5 percent (1 in 18), down from 6.1 percent the year prior.  
  • Although this defect download ratio is far from perfect, there is empirical evidence that hygiene is beginning to improve with ratios declining slightly in each of the last three years.
 
The regulatory landscape is rapidly changing
  • In the past year in the United States, the White House, four federal agencies, and the automotive industry have released new guidelines to improve the quality, safety, and security of software supply chains.
Red Hat OpenShift helps DNEG better manage and access metadata of more than 100 million digital assets to improve productivity for globally distributed artists and software developers.
“As the digital sector stands at a pivotal crossroad between digital transformation and environmental sustainability, the SDIA is delighted to host a Summit to chart a path toward a digital future that is not only innovative, but also sustainable.” Max Schulze, SDIA’s Executive Chairman
Kong has published its most recent study, the company’s “2023 API Impact Report.”
New category of integration platform is necessary to help manage sprawling tech infrastructure.
Research commissioned by CloudBees shows that platform engineering is quickly gaining traction within IT organizations, becoming an established practice for software development teams. 83% of respondents have either fully implemented platform engineering or are in some phase of implementation.
Service provider consolidates platform strategy on Red Hat technologies including Red Hat OpenShift for cloud-native workloads.
Amid the rise of AI-assisted software development, the report also finds 45% of developers feel the value of their current skill sets are threatened.
Survey finds 78% of developers identify AI as a security risk, yet they continue to input sensitive credential, financial and health data into AI platforms.