Perception Versus Reality: a Data-Driven Look at Open Source Risk Management

November 11, 2022 By Luke Mcbride

2 minute read time

On October 18th, 2022, Sonatype published the 8th Annual State of the Software Supply Chain. The report is our ongoing contribution to a growing body of knowledge and software development using third-party open source software. One of the report’s primary authors and VP of Product Innovation Dr. Stephen Magill presented a talk summarizing the report with additional context, background, and data.

Key themes include:

  • Overall ongoing growth of the software supply chain, as well as an increase in dependency usage and releases.

  • Worrying trends around attacks and slow patching.

  • Better dependency management and remediation.

  • The importance of code review.

  • What the data tells us is really happening in open source and software development.

Screencapture of presentation slide with perception: "open source is risky" vs. reality "OSS can almost always be secure"

Slide from Stephen’s presentation detailing one of our key insights.

Stephen digs into research methods, data sources, and shares his own insights on the various methods for evaluating projects, including OpenSSF Scorecard and the Sonatype Safety Rating.

He also distills what we’ve learned in this year’s report in terms of best practices for the industry. Suggestions based on the report are available for development teams, including what hard questions to ask about your organization.

Webinar video thumbnail

RELATED

Tags: vulnerability, Open Source, Events and Webinars, News and Views, Post developers/devops

Written by Luke Mcbride

Luke is a writer at Sonatype covering everything from open source licenses and liability to DevSecOps trends and container security.