What 36,000 OSS Projects and 12,000 Commercial Dev Teams Taught Us about Secure Coding Practices
By Derek Weeks
3 minute read time
After ten months of research, which involved studying 36,000 open source software projects, 12,000 enterprise development teams, and 3.7 million open source releases, we are pleased to announce the arrival of the 2019 State of the Software Supply Chain report.
This year's report is different. We partnered with research partners Gene Kim from IT Revolution, and Dr. Stephen Magill from Galois and CEO of Muse, to objectively examine and empirically document, for the first time, the attributes of exemplary development practices, especially in relation to secure coding practices. But, as in years past, we've also analyzed the rapidly expanding supply and continued exponential growth in demand for open source components.
Not All Open Source Projects Are Created Equal
For the past four years, we've studied the ins and outs of the software supply chain - what it's comprised of, how vulnerabilities are getting in and how often, the growing regulations, and most recently, a new trend where adversaries purposely attack the supply chain with malicious components.
For our fifth anniversary of the report, we wanted to look deeper. We wanted to understand exactly how enterprise development teams, and potentially even more importantly, how OSS projects were thinking about, and addressing, the software supply chain security issues. We wanted to understand and identify the best practices, so we could share them with others.
As a result of our research, we identified five common behavior patterns across 36,000 open source development teams. This includes identifying attributes of large and small Exemplars who rest within the top 3% -- or 1,229 -- OSS project development behaviors.
To arrive at this list, we examined many variables, including:
-
Do differences exist in how effectively OSS projects update their dependencies and fix vulnerabilities?
-
Are there exemplary teams that do this better than others?
-
Are components from exemplary teams more widely-used than "non-exemplary" components?
-
What factors correlate with exemplary components?
-
What advice can be offered to producers of OSS components and the developers that consume them?
The answers were striking - and the resulting data even more illuminating. While the report identifies Small Exemplars and Large Exemplars, we've also identified three additional groups of OSS projects - Laggards, Features First, and Cautious.
Exemplary Commercial DevSecOps Practices Create Superior Software
There are clear, competitive advantages for teams with exemplary DevSecOps practices.
As we've been saying for years "Innovation is critical, speed is king, and open source is at center stage." Today's research further underscores these accelerating trends throughout the software supply chain. It also shows that taming the supply chain is possible. By making better supplier choices, component selection, and using automation, dev teams are seeing impressive rewards. In fact, for those development teams actively managing their software supply chains, the use of known vulnerable component releases was reduced by 55%.
This year's report details 11 other behaviors and attributes of leading enterprise development teams, including their frequency of software releases, use of repository managers, and reliance on software bill of materials (SBOM).
Download the Full Report
This year's research collaboration with Gene and Stephen has shed new light on exemplary development and DevOps practices. It gives us great pleasure each year to share our observations with you. We invite you to read the report, reflect on its findings regarding your own development efforts, and share any feedback you have on the findings with us.
Derek serves as vice president and DevOps advocate at Sonatype and is the co-founder of All Day DevOps -- an online community of 65,000 IT professionals.
Explore All Posts by Derek WeeksTags
Discover a Better Way to SCA
Forrester evaluated 10 SCA providers and recognized Sonatype with the highest possible scores. Learn why Sonatype was named a leader in Forrester Wave™ for SCA.
