News and Notes from the Makers of Nexus | Sonatype Blog

Introducing our 2020 State of the Software Supply Chain report

Written by Derek Weeks | August 12, 2020

An analysis of high performance open source development practices

"If we move faster, we can't be as secure."

"If we build in more security, we can't be as fast."

For years, development and security pros have argued that effective risk management practices are always at the expense of developer productivity, or that a faster release velocity can be achieved but only when security practices don't weigh it down.

Our 2020 State of the Software Supply Chain report delivers new evidence that faster innovation and better risk management do not have to be mutually exclusive - in fact, they actually feed off of each other. High Performance engineering teams are now accelerating velocity while simultaneously improving security outcomes. Even better? Developers in High Performance teams demonstrate higher levels of job satisfaction. You can read more about our analysis of these four practice clusters in Chapter 4 of the report.

In addition to the above, the 2020 State of Software Supply Chain report, now in its sixth year, analyzes data from over 1.5 trillion open source download requests, 24,000 open source projects, and 5,600 enterprise development teams.  Here's more of what you can expect from year six:

  • We dive into a 430% increase in next-generation software supply chain attacks since last year's report (see Chapter 1)
  • We shed light on download requests for 1 trillion npm and 376 billion Java components (see Chapter 2)
  • We discuss how the best OSS projects are updating dependencies 530x faster than their peers and how this practice positively impact security (see Chapter 3)
  • We compare high performing development teams to low performers to reveal 26x faster remediation of open source vulnerabilities (see Chapter 4)
  • We analyze over 1,700 applications to reveal that 11% of OSS components used to assemble applications have known vulnerabilities (see Chapter 5)

And once again, we'll cover the latest government and industry initiatives designed to protect software supply chains and strengthen the foundations of open source with reports from the U.S., U.K., and Australia. For example, check out the latest guidance from the Australian Cyber Security Centre (ACSC) that is featured in Chapter 6:

You can read this year's full report by downloading it at: www.sonatype.com/ssc. For those of you interested in hearing more about our findings, I invite you to join my afternoon keynote at the 2020 Nexus User Conference today at 3:30pm ET where I will share more data and analysis from the report.