Security News > 2022 > October > Consumer behaviors are the root of open source risk

Sonatype unveiled its eighth annual State of the Software Supply Chain Report which, in addition to a massive surge in open source supply, demand, and malicious attacks, found that 96% of open source Java downloads with known-vulnerabilities could have been avoided because a better version was available, but was ignored.

According to the report, this means 1.2 billion known-vulnerable dependencies that could be avoided are being downloaded every month, pointing to non-optimal consumption behaviors as the root of open source risk.

"The good news is, this year's report also shows 'optimal' dependency management is possible. Further, despite the continued attention on trying to 'fix open source,' the data shows that open source consumers can make changes immediately that will have a profound impact on their ability to remediate and respond to the next event."

Open source demand continues to grow, despite what self-reporting says - global open source consumption will surge to an estimated 3.1 trillion total requests.

Know what open source your open source is using - transitive dependencies account for 6 out of every 7 vulnerabilities affecting open source projects.

"Our research shows that the number of dependencies per open source project is growing, and that these dependencies are a critical driver of risk. Immature organizations expect their developers to stay on top of license compliance concerns, multiple project releases, dependency changes, and open source ecosystem knowledge along with their regular job responsibilities. This is in addition to external pressures like speed."

News URL

https://www.helpnetsecurity.com/2022/10/24/software-supply-chain-state/