News and Notes from the Makers of Nexus | Sonatype Blog

Perception versus reality: A data-driven look at open source risk management

Written by Luke Mcbride | November 11, 2022

On October 18, 2022, Sonatype published the 8th annual State of the Software Supply Chain. The report is our ongoing contribution to a growing body of knowledge and software development using third-party open source software. One of the report's primary authors and VP of Product Innovation Dr. Stephen Magill presented a talk summarizing the report with additional context, background, and data.

Key themes include:

  • Overall ongoing growth of the software supply chain, as well as an increase in dependency usage and releases.

  • Worrying trends around attacks and slow patching.

  • Better dependency management and remediation.

  • The importance of code review.

  • What the data tells us is really happening in open source and software development.

Slide from Stephen’s presentation detailing one of our key insights.

Stephen digs into research methods, data sources, and shares his own insights on the various methods for evaluating projects, including OpenSSF Scorecard and the Sonatype Safety Rating.

He also distills what we've learned in this year's report in terms of best practices for the industry. Suggestions based on the report are available for development teams, including what hard questions to ask about your organization.

RELATED