The software supply chain has definitely been in all corners of the news this year, including finance, government, and technology. Although the focus is on security concerns, better supply chain management has benefits beyond preventing downtime and data breaches.
The observations presented in our 8th annual State of the Software Supply Chain report dig deeper as we continue our tradition of sharing management insights around the use of open source code in your software development life cycle (SDLC). The provided data highlights how better software supply chain management also saves money, improves morale, and accelerates innovation.
The supply of open source continues to grow at an impressive rate, as do security concerns. There has been a 742% average annual increase in software supply chain attacks over the past 3 years:
About 6 out of every 7 project vulnerabilities come from a specific type of software dependency known as a "transitive" dependency. We look at data-driven selections of the best projects and even the best versions of your projects.
Open source project maintainers are not the primary source of security risk, it's open source consumers. Our data show a monthly average of 3.4 billion downloads of vulnerable software where a fixed version is available.
More mature software supply chain management survey respondents were 2.7x more likely to report higher job satisfaction:
- Development teams can cut expensive and tedious upgrade tasks in half by discerning the right dependency and when to upgrade.
Sonatype experts and data researchers looked through both public and proprietary data sources to illustrate and address trends in supply chain management. We looked at:
Ongoing growth of the software supply chain itself and regulatory responses by governments around the world.
Poor security trends with recommendations for teams and the industry
Improved insights from last year on choosing quality component projects and version upgrades
You can read this year’s full report by visiting www.sonatype.com/ssc, where you can see our overview of developer behaviors, better supply chain management, and recommendations for more mature development practices.
We'll also publish more background and analysis around the report to this blog in the weeks and months ahead.