SSC_2020_Cover

 

2020 State of the Software Supply Chain

Read our 6th annual report on open source software development and understand why productivity does not have to come at the cost of reduced security.

SSC_2020_Cover

 

2020 State of the Software Supply Chain

Read our 6th annual report on open source software development and understand why productivity does not have to come at the cost of reduced security.

The 2020 State of the Software Supply Chain Report blends a broad set of public and proprietary data, along with survey results from over 5,600 professional developers to reveal important findings, including:

  • 430% growth in next-generation cyber attacks actively targeting OSS (Chapter 1)
  • 1.5 trillion OSS component download requests (Chapter 2)
  • 530x faster time to update dependencies for exemplary OSS projects (Chapter 3)
  • 26x faster remediation of vulnerabilities for high performing teams (Chapter 4)
  • 11% of OSS components used in applications have known vulnerabilities (Chapter 5)

For the second year in a row, we’ve collaborated with research partners Gene Kim from IT Revolution and Dr. Stephen Magill, CEO at MuseDev, to examine how high performing enterprise software development teams successfully balance their performance and risk management practices while assembling applications with open source components.

Get Your Copy!

SON_Headshot_Gene_Kim@2x

β€œIt was a privilege to be part of this research effort to better understand the health and habits of the open source component ecosystem, where we could study all the Java artifacts stored in The Central Repository, which some of us know as 'Maven Central,'” said Gene Kim Author, Researcher, and Founder of IT Revolution. β€œIt was incredible to explore how exemplars achieve better outcomes (quality, security, popularity), and what factors correlated with them, such as team size, release frequency, number of dependencies, their strategy to update them, and many more.”


 

Improving outcomes with DevSecOps and automation.

SSC_Page_Chart1

Automation accelerates the demand for open source.

In 2018, download requests for Java components grew 68% year over year to 146 billion. Downloads of npm packages reached 10 billion per week β€” equating to a 185% year over year.

Average days

The best open source project teams are blue.

Exemplary OSS project teams demonstrate 3.4x faster vulnerability remediation, were 6x more popular, had 33% larger development teams and were 9.3x more likely to have a process to proactively remove problematic dependencies.

55 percent reduction

DevSecOps automation reduces OSS risks.

Organizations automating open source governance as part of a managed software supply chain practice reduced the percentage of vulnerable components used in finished applications by 55%.