Sonatype today released its fourth annual State of the Software Supply Chain report which found that software developers downloaded more than 300 billion open source components in the past 12 months and that 1 in 8 of those components contained known security vulnerabilities.
Vulnerabilities have been far easier to take advantage of with the influx of open source components. The DevSecOps Community Survey of 2,076 IT professionals found that 30% of respondents believe they experienced a breach due to open source components. This is more than double last year’s amount. Also, since 2014, the year of OpenSSL’s Heartbleed vulnerability, open source related breaches are up 121%.
The report covers the average days before a vulnerability is exploited. In 2006, vulnerabilities took an average of 45 days to be exploited. In 2017, the number dropped down to 3 days.
Cryptojacking has become a major threat to open source components. In March 2017, hackers installed backdoors, DDoS bots, cryptocurrency miners, or ransomware into applications built with Apache Struts. They walked away with at least $100,000 in cryptocurrency. This is just one of many times cryptojackers have taken advantage of system flaws in open source components.
“As open source accelerates to its zenith of value, the underlying fundamentals of the ecosystem and the infrastructure supporting it, are increasingly at risk,” said Sontatype CEO, Wayne Jackson. “A series of high profile and devastating cyber-attacks last year demonstrated the intent and ability to exploit security vulnerabilities in software supply chains. This year’s report proves, however, that secure software development isn’t out of reach. The application economy can grow and prosper in regulated, secure environments if managed properly.”
Some additional key findings from this year’s report include:
Managed software supply chains are 2X more efficient and 2X more secure
- Automated OSS security practices reduce the presence of vulnerabilities by 50%.
- DevOps teams are 90% more likely to comply with open source governance when security policies are automated.
The window to respond to vulnerabilities is shrinking rapidly
- Over the past decade, the meantime to exploit open source defects in the wild has compressed 400%, going from an average of 45 days to just 3.
Hackers are beginning to assault software supply chains
- Over the last 18 months, a series of no less than 11 events triangulate a serious escalation of attacks on the software supply chain.
- These assaults, which include hackers injecting vulnerabilities directly into open source projects, represent a new front in the battle to secure software applications.
The industry lacks meaningful open source controls
- 3 million vulnerabilities in OSS components do not have a corresponding CVE advisory in the public NVD database.
- 62% of organizations admitted to not having meaningful controls over OSS components used in their applications.
Governments are stepping in, as enterprises struggle to self-regulate
- 19 different governmental organizations around the world have called for improved OSS security and governance.
Supply, and demand for, open source shows no sign of slowing down
- More than 15,000 new or updated open source releases are made available to developers every day.
- The average enterprise downloaded 170,000 Java components in 2017, up 36% year over year.