{"id":2697,"date":"2018-09-26T10:38:47","date_gmt":"2018-09-26T14:38:47","guid":{"rendered":"https:\/\/solutionsreview.com\/cloud-platforms\/?p=2697"},"modified":"2018-09-26T10:40:45","modified_gmt":"2018-09-26T14:40:45","slug":"sonatype-state-of-software-supply-chain-report","status":"publish","type":"post","link":"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/","title":{"rendered":"A Look at the Sonatype State of Software Supply Chain Report"},"content":{"rendered":"<p style=\"text-align: justify\"><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-2699\" src=\"https:\/\/solutionsreview.com\/cloud-platforms\/files\/2018\/09\/s0ma1.jpg\" alt=\"Sonatype State of Software Supply Chain Report\" width=\"800\" height=\"400\" srcset=\"https:\/\/solutionsreview.com\/cloud-platforms\/files\/2018\/09\/s0ma1.jpg 800w, https:\/\/solutionsreview.com\/cloud-platforms\/files\/2018\/09\/s0ma1-300x150.jpg 300w, https:\/\/solutionsreview.com\/cloud-platforms\/files\/2018\/09\/s0ma1-768x384.jpg 768w, https:\/\/solutionsreview.com\/cloud-platforms\/files\/2018\/09\/s0ma1-540x270.jpg 540w, https:\/\/solutionsreview.com\/cloud-platforms\/files\/2018\/09\/s0ma1-162x81.jpg 162w, https:\/\/solutionsreview.com\/cloud-platforms\/files\/2018\/09\/s0ma1-360x180.jpg 360w\" sizes=\"(max-width: 800px) 100vw, 800px\" \/><a href=\"https:\/\/www.sonatype.com\/\">Sonatype<\/a> today released its fourth annual <a href=\"https:\/\/www.sonatype.com\/2018-ssc\" target=\"_blank\" rel=\"noopener\">State of the Software Supply Chain<\/a> report which found that software developers downloaded more than 300 billion open source components in the past 12 months and that 1 in 8 of those components contained known security vulnerabilities.<\/p>\n<p style=\"text-align: justify\">Vulnerabilities have been far easier to take advantage of with the influx of open source components. The DevSecOps Community Survey of 2,076 IT professionals found that 30% of respondents believe they experienced a breach due to open source components. This is more than double last year\u2019s amount. Also, since 2014, the year of OpenSSL\u2019s Heartbleed vulnerability, open source related breaches are up 121%.<\/p>\n<p style=\"text-align: justify\">The report covers the average days before a vulnerability is exploited. In 2006, vulnerabilities took an average of 45 days to be exploited. In 2017, the number dropped down to 3 days.<\/p>\n<p style=\"text-align: justify\"><a href=\"https:\/\/solutionsreview.com\/cloud-platforms\/cloud-crypto-attacks\/\" target=\"_blank\" rel=\"noopener\">Cryptojacking<\/a> has become a major threat to open source components. In March 2017, hackers installed backdoors, DDoS bots, cryptocurrency miners, or ransomware into applications built with Apache Struts. They walked away with at least $100,000 in cryptocurrency. This is just one of many times cryptojackers have taken advantage of system flaws in open source components.<\/p>\n<div class=\"widget\"><div class=\"aside-card\">\t\t\t<div class=\"textwidget\"><p><a class=\"msp-speedbump\" title=\"Download link to Managed Service Providers Buyers Guide\" href=\"https:\/\/solutionsreview.com\/cloud-platforms\/managed-service-provider-buyers-guide\/\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-1682\" src=\"https:\/\/solutionsreview.com\/cloud-platforms\/files\/2018\/07\/Managed-Service-Providers-Speedbump-1.jpg\" alt=\"Download Link to Managed Service Providers Buyers Guide\" width=\"771\" height=\"170\" \/><\/a><\/p>\n<\/div>\n\t\t<\/div><\/div>\n<p>\u201cAs open source accelerates to its zenith of value, the underlying fundamentals of the ecosystem and the infrastructure supporting it, are increasingly at risk,\u201d said Sontatype CEO, Wayne Jackson. \u201cA series of high profile and devastating cyber-attacks last year demonstrated the intent and ability to exploit security vulnerabilities in software supply chains. This year\u2019s report proves, however, that secure software development isn\u2019t out of reach. The application economy can grow and prosper in regulated, secure environments if managed properly.\u201d<\/p>\n<p style=\"text-align: justify\">Some additional key findings from this year\u2019s report include:<\/p>\n<h5 style=\"text-align: justify\"><strong>Managed software supply chains are 2X more efficient and 2X more secure<\/strong><\/h5>\n<ul style=\"text-align: justify\">\n<li>Automated OSS security practices reduce the presence of vulnerabilities by 50%.<\/li>\n<li>DevOps teams are 90% more likely to comply with open source governance when security policies are automated.<\/li>\n<\/ul>\n<h5 style=\"text-align: justify\"><strong>The window to respond to vulnerabilities is shrinking rapidly<\/strong><\/h5>\n<ul style=\"text-align: justify\">\n<li>Over the past decade, the meantime to exploit open source defects in the wild has compressed 400%, going from an average of 45 days to just 3.<\/li>\n<\/ul>\n<h5 style=\"text-align: justify\"><strong>Hackers are beginning to assault software supply chains<\/strong><\/h5>\n<ul style=\"text-align: justify\">\n<li>Over the last 18 months, a series of no less than 11 events triangulate a serious escalation of attacks on the software supply chain.<\/li>\n<li>These assaults, which include hackers injecting vulnerabilities directly into open source projects, represent a new front in the battle to secure software applications.<\/li>\n<\/ul>\n<h5 style=\"text-align: justify\"><strong>The industry lacks meaningful open source controls <\/strong><\/h5>\n<ul style=\"text-align: justify\">\n<li>3 million vulnerabilities in OSS components do not have a corresponding CVE advisory in the public NVD database.<\/li>\n<li>62% of organizations admitted to not having meaningful controls over OSS components used in their applications.<\/li>\n<\/ul>\n<h5 style=\"text-align: justify\"><strong>Governments are stepping in, as enterprises struggle to self-regulate <\/strong><\/h5>\n<ul style=\"text-align: justify\">\n<li>19 different governmental organizations around the world have called for improved OSS security and governance.<\/li>\n<\/ul>\n<h5 style=\"text-align: justify\"><strong>Supply, and demand for, open source shows no sign of slowing down <\/strong><\/h5>\n<ul style=\"text-align: justify\">\n<li>More than 15,000 new or updated open source releases are made available to developers every day.<\/li>\n<li>The average enterprise downloaded 170,000 Java components in 2017, up 36% year over year.<\/li>\n<\/ul>\n<div class=\"widget\"><div class=\"aside-card\">\t\t\t<div class=\"textwidget\"><p><a class=\"msp-speedbump\" title=\"Download link to Managed Service Providers Buyers Guide\" href=\"https:\/\/solutionsreview.com\/cloud-platforms\/managed-service-provider-buyers-guide\/\" target=\"_blank\" rel=\"noopener\"><img loading=\"lazy\" decoding=\"async\" class=\"alignleft size-full wp-image-1682\" src=\"https:\/\/solutionsreview.com\/cloud-platforms\/files\/2018\/07\/Managed-Service-Providers-Speedbump-1.jpg\" alt=\"Download Link to Managed Service Providers Buyers Guide\" width=\"771\" height=\"170\" \/><\/a><\/p>\n<\/div>\n\t\t<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Sonatype today released its fourth annual State of the Software Supply Chain report which found that software developers downloaded more than 300 billion open source components in the past 12 months and that 1 in 8 of those components contained known security vulnerabilities. Vulnerabilities have been far easier to take advantage of with the influx [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":2699,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[2],"tags":[746,35,870,871,872],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v23.5 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>A Look at the Sonatype State of Software Supply Chain Report<\/title>\n<meta name=\"description\" content=\"This year&#039;s Sonatype State of Software Supply Chain Report delves into crucial areas of concern for open-source components and their vulnerabilites.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Doug Atkinson\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"WebPage\",\"@id\":\"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/\",\"url\":\"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/\",\"name\":\"A Look at the Sonatype State of Software Supply Chain Report\",\"isPartOf\":{\"@id\":\"https:\/\/solutionsreview.com\/cloud-platforms\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/solutionsreview.com\/cloud-platforms\/files\/2018\/09\/s0ma1.jpg\",\"datePublished\":\"2018-09-26T14:38:47+00:00\",\"dateModified\":\"2018-09-26T14:40:45+00:00\",\"author\":{\"@id\":\"https:\/\/solutionsreview.com\/cloud-platforms\/#\/schema\/person\/5992f02d38e7b28251ad933cd131dcae\"},\"description\":\"This year's Sonatype State of Software Supply Chain Report delves into crucial areas of concern for open-source components and their vulnerabilites.\",\"breadcrumb\":{\"@id\":\"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/#primaryimage\",\"url\":\"https:\/\/solutionsreview.com\/cloud-platforms\/files\/2018\/09\/s0ma1.jpg\",\"contentUrl\":\"https:\/\/solutionsreview.com\/cloud-platforms\/files\/2018\/09\/s0ma1.jpg\",\"width\":800,\"height\":400,\"caption\":\"Sonatype State of Software Supply Chain Report\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/solutionsreview.com\/cloud-platforms\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"A Look at the Sonatype State of Software Supply Chain Report\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/solutionsreview.com\/cloud-platforms\/#website\",\"url\":\"https:\/\/solutionsreview.com\/cloud-platforms\/\",\"name\":\"Cloud Platforms &amp; Infrastructure Services | Solutions Review\",\"description\":\"Evaluating Hyperscale Cloud Providers, Hybrid IaaS, PaaS &amp; Cloud Management Tools.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/solutionsreview.com\/cloud-platforms\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/solutionsreview.com\/cloud-platforms\/#\/schema\/person\/5992f02d38e7b28251ad933cd131dcae\",\"name\":\"Doug Atkinson\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/solutionsreview.com\/cloud-platforms\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/092cfcbe5c7f2c185c21f152aada2d2f?s=96&d=blank&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/092cfcbe5c7f2c185c21f152aada2d2f?s=96&d=blank&r=g\",\"caption\":\"Doug Atkinson\"},\"description\":\"An entrepreneur and executive with a passion for enterprise technology, Doug founded Solutions Review in 2012. He has previously served as a newspaper boy, a McDonald's grill cook, a bartender, a political consultant, a web developer, the VP of Sales for e-Dialog - a digital marketing agency - and as Special Assistant to Governor William Weld of Massachusetts.\",\"sameAs\":[\"https:\/\/solutionsreview.com\"],\"url\":\"https:\/\/solutionsreview.com\/cloud-platforms\/author\/doug-atkinson-4\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"A Look at the Sonatype State of Software Supply Chain Report","description":"This year's Sonatype State of Software Supply Chain Report delves into crucial areas of concern for open-source components and their vulnerabilites.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/","twitter_misc":{"Written by":"Doug Atkinson","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"WebPage","@id":"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/","url":"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/","name":"A Look at the Sonatype State of Software Supply Chain Report","isPartOf":{"@id":"https:\/\/solutionsreview.com\/cloud-platforms\/#website"},"primaryImageOfPage":{"@id":"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/#primaryimage"},"image":{"@id":"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/#primaryimage"},"thumbnailUrl":"https:\/\/solutionsreview.com\/cloud-platforms\/files\/2018\/09\/s0ma1.jpg","datePublished":"2018-09-26T14:38:47+00:00","dateModified":"2018-09-26T14:40:45+00:00","author":{"@id":"https:\/\/solutionsreview.com\/cloud-platforms\/#\/schema\/person\/5992f02d38e7b28251ad933cd131dcae"},"description":"This year's Sonatype State of Software Supply Chain Report delves into crucial areas of concern for open-source components and their vulnerabilites.","breadcrumb":{"@id":"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/#primaryimage","url":"https:\/\/solutionsreview.com\/cloud-platforms\/files\/2018\/09\/s0ma1.jpg","contentUrl":"https:\/\/solutionsreview.com\/cloud-platforms\/files\/2018\/09\/s0ma1.jpg","width":800,"height":400,"caption":"Sonatype State of Software Supply Chain Report"},{"@type":"BreadcrumbList","@id":"https:\/\/solutionsreview.com\/cloud-platforms\/sonatype-state-of-software-supply-chain-report\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/solutionsreview.com\/cloud-platforms\/"},{"@type":"ListItem","position":2,"name":"A Look at the Sonatype State of Software Supply Chain Report"}]},{"@type":"WebSite","@id":"https:\/\/solutionsreview.com\/cloud-platforms\/#website","url":"https:\/\/solutionsreview.com\/cloud-platforms\/","name":"Cloud Platforms &amp; Infrastructure Services | Solutions Review","description":"Evaluating Hyperscale Cloud Providers, Hybrid IaaS, PaaS &amp; Cloud Management Tools.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/solutionsreview.com\/cloud-platforms\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/solutionsreview.com\/cloud-platforms\/#\/schema\/person\/5992f02d38e7b28251ad933cd131dcae","name":"Doug Atkinson","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/solutionsreview.com\/cloud-platforms\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/092cfcbe5c7f2c185c21f152aada2d2f?s=96&d=blank&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/092cfcbe5c7f2c185c21f152aada2d2f?s=96&d=blank&r=g","caption":"Doug Atkinson"},"description":"An entrepreneur and executive with a passion for enterprise technology, Doug founded Solutions Review in 2012. He has previously served as a newspaper boy, a McDonald's grill cook, a bartender, a political consultant, a web developer, the VP of Sales for e-Dialog - a digital marketing agency - and as Special Assistant to Governor William Weld of Massachusetts.","sameAs":["https:\/\/solutionsreview.com"],"url":"https:\/\/solutionsreview.com\/cloud-platforms\/author\/doug-atkinson-4\/"}]}},"_links":{"self":[{"href":"https:\/\/solutionsreview.com\/cloud-platforms\/wp-json\/wp\/v2\/posts\/2697"}],"collection":[{"href":"https:\/\/solutionsreview.com\/cloud-platforms\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/solutionsreview.com\/cloud-platforms\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/cloud-platforms\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/cloud-platforms\/wp-json\/wp\/v2\/comments?post=2697"}],"version-history":[{"count":0,"href":"https:\/\/solutionsreview.com\/cloud-platforms\/wp-json\/wp\/v2\/posts\/2697\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/solutionsreview.com\/cloud-platforms\/wp-json\/wp\/v2\/media\/2699"}],"wp:attachment":[{"href":"https:\/\/solutionsreview.com\/cloud-platforms\/wp-json\/wp\/v2\/media?parent=2697"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/solutionsreview.com\/cloud-platforms\/wp-json\/wp\/v2\/categories?post=2697"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/solutionsreview.com\/cloud-platforms\/wp-json\/wp\/v2\/tags?post=2697"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}