The newly published annual State of the Software Supply Chain report from Sonatype has landed. Frankly, it makes for troublesome reading. I’m not just talking about the shocking headline statistic: the 245,000 malicious packages discovered is more than double the combined total of all previous years since 2019.
Digging deeper reveals even more concerning numbers.
Aaron Linskens, part of Sonatype’s developer relations team, points out that while patches have been available for a couple of years now, “23% of Log4j downloads [are] critically vulnerable versions”.
Across 2022, Linskens continues, “we saw that 12% of downloads, roughly 1 in 8 of all components served by Maven Central, contained a known security vulnerability”. Maven Central is the largest single public repository for Java open-source components.
As if these numbers aren’t concerning enough, “nearly 96% of component downloads with known vulnerabilities could be avoided by selecting a non-vulnerable version”.
Two stats that highlight malicious package threats
The surging security risk of using open-source libraries, as evidenced by the Sonatype analysis of more than 400 billion downloads from Maven Central, is best highlighted by just two statistics.
- 67% of survey respondents felt confident that their applications didn’t rely upon vulnerable libraries…
- …yet 10% reported their organisations had suffered a security incident due to just that across the previous 12 months
For example, don’t think that maintained projects guarantee security. According to Linskens, “maintained projects have a slightly lower incidence of vulnerability”, but the key phrase there is “slightly lower”.
As Brian Fox, Sonatype’s CTO, says: “Our industry needs to direct its efforts towards the right place.
“The fact that there’s been a fix for almost all downloads of components with a known vulnerability tells us an immediate focus should be supporting developers on becoming better decision-makers and giving them access to the right tools.
“The goal is to help developers be more intentional about downloading open-source software from projects with the most maintainers and the healthiest ecosystem of contributors.”
External view on malicious threats in open-source software
Craig Harber, a security evangelist with Open Systems, finds the report unsurprising but highly frustrating. “The lack of mature vulnerability management and patch management processes have been the Achilles heel of most agencies and organisations for as long as I can remember,” he says.
Arguing that real leadership is needed for change, Harber concludes that it’s got to be more than drafting regulations and guidance.
“Investments are needed in automation and AI-driven decision support tools to enable IT teams to do their jobs effectively. System owners and stakeholders need to be held accountable if they fail to provide the IT teams the necessary direction and tools to be successful.”
Generative AI is about more than just automating sales and marketing. It’s about making it more personal, too.
Amazon and Microsoft trade blows over cloud competition
Chetna Gogia, Chief Human Resources Officer at GoKwik: “Go deep in acquiring the right knowledge before you advise on HR practices to management”
In this Coffee with HR interview, we speak to Chetna Gogia, Chief Human Resources Officer at GoKwik. She has over 20+ years of experience leading HR functions across various sectors