Press "Enter" to skip to content

Study: Exponential increase in cyber attacks on open source projects

Since 2015 the company Sonatype, which specializes in DevSecOps, has published the “State of the Software Supply Chain Report” annually. In this year’s edition, the company shows a strong increase in the use of open source software, but also an increased risk of attack compared to last year.

Sonatype took a closer look at the four largest providers of open source software: the Maven Central Repository for Java, NuGet for .NET, npm for JavaScript and the Python Package Index (PyPI) for Python. There was a strong increase in the supply and demand for open source software: Compared to the previous year, the number of open source projects in the four ecosystems rose by 20 percent, and component downloads by an average of 73 percent.

Year-on-year increase in downloads from 2020 to 2021

Increase in downloads from Maven, npm, PyPI and NuGet year-on-year from 2020 to 2021

(Bild: Sonatype)

Of the top 10 percent of the most popular open source projects, almost a third (29 percent) have at least one known security vulnerability. In the remaining 90 percent of the projects, this only applies to 6.5 percent. Sonatype sees the reason for this in the focus of security researchers on the most popular projects, so potential gaps in less popular software packages tend to remain undetected.

Proportion of projects with known security vulnerabilities taking into account their popularity

Proportion of projects with known security vulnerabilities taking into account their popularity

Proportion of projects with known security vulnerabilities taking into account their popularity

(Bild: Sonatype)

In addition, attacks on open source software are increasing exponentially, according to the study: supply chain attacks such as malicious code injection and dependency confusion show an increase of 650 percent compared to the previous year. In the report from 2020, this value was 430 percent.

In addition to other aspects such as peer practices, the study also looks at laws regulating the software supply chain in the USA, the United Kingdom, Germany, the European Union and globally. For example, the controversial IT Security Act 2.0, which has been implemented in Germany since May 2021, is discussed. Accordingly, manufacturers of software components are subject to requirements for securing the supply chain, provided that certain conditions, such as the use of their components in critical infrastructures, are given.

More information about the study can be found on the Sonatype blog as well as in the complete “2021 State of the Software Supply Chain Report”.


(May)

Article Source

Disclaimer: This article is generated from the feed and not edited by our team.