The 2016 State of Software Supply Chain Report

July 11, 2016 By Derek Weeks

3 minute read time

Our State of the Software Supply Chain Report has just been released.  Over the past year, we’ve amassed a great deal of data with respect to the staggering volume and variety of open source components flowing through software supply chains into development environments.  This year, we assessed behaviors across 3,000 organizations and performed deep analysis on over 25,000 applications.  

The results we discovered ranged from staggering to surprising to sobering.  For example, we measured organizations consuming an average of 229,000 components annually.  The good news is, these components help companies accelerate their development and innovation.  At the same time, we saw 6.8% of components used in applications marked with at least one known security vulnerability -- adding high levels of security debt.  Not all components are created equal.

In the past year, Sonatype was far from the only organization pursuing the need for improved software supply chain practices.  We studied the patterns and practices exhibited by high-performance organizations and documented how these innovators are utilizing the principles of software supply chain automation to manage the massive flow and variety of open source components.  These organizations are striving to consistently deliver higher quality applications for less, while lowering their risk profile. This year’s report profiles organizations across banking, insurance, defense, energy, technology, and government sectors.

Screen_Shot_2016-07-07_at_5.31.45_PM.png

The 2016 State of the Software Supply Chain Report blends public and proprietary data with expert research and analysis to reveal the following:

  • Developers are gorging on an ever expanding supply of open source components.  Billions of open source components were downloaded in the last year.
  • Vast networks of open source component suppliers are growing rapidly.  Over 1,000 new open source projects and 10,000 new versions of open source components are introduced daily.
  • Massive variety and volume of software components vary widely in terms of quality.  1 in 16 parts include a known security defect.
  • Top performing enterprises, federal regulators and industry associations have embraced the principles of software supply chain automation to improve the safety, quality, and security of software.

We invite you to read the report and leverage the insights to understand how your organization’s practices compare to others. Then, let us know what you think @sonatype.

If you would like to join a live discussion on this year's report, please join us on Wednesday, July 13th. Save your seat here.

Attend Webinar

Tags: Software Supply Chain, open source governance, Application Security, Devops

Written by Derek Weeks

Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.