Since 2015 the company Sonatype, which specializes in DevSecOps, has published the “State of the Software Supply Chain Report” annually. In this year’s edition, the company shows a strong increase in the use of open source software, but also an increased risk of attack compared to last year.
Vulnerabilities and attacks
Of the top 10 percent of the most popular open source projects, almost a third (29 percent) have at least one known security vulnerability. In the remaining 90 percent of the projects, this only applies to 6.5 percent. Sonatype sees the reason for this in the focus of security researchers on the most popular projects, so potential gaps in less popular software packages tend to remain undetected.
In addition, attacks on open source software are increasing exponentially, according to the study: supply chain attacks such as malicious code injection and dependency confusion show an increase of 650 percent compared to the previous year. In the report from 2020, this value was 430 percent.
In addition to other aspects such as peer practices, the study also looks at laws regulating the software supply chain in the USA, the United Kingdom, Germany, the European Union and globally. For example, the controversial IT Security Act 2.0, which has been implemented in Germany since May 2021, is discussed. Accordingly, manufacturers of software components are subject to requirements for securing the supply chain, provided that certain conditions, such as the use of their components in critical infrastructures, are given.