Resources Blog Perception versus reality: A data-driven look at open ...

Perception versus reality: A data-driven look at open source risk management

On October 18, 2022, Sonatype published the 8th annual State of the Software Supply Chain. The report is our ongoing contribution to a growing body of knowledge and software development using third-party open source software. One of the report's primary authors and VP of Product Innovation Dr. Stephen Magill presented a talk summarizing the report with additional context, background, and data.

Key themes include:

  • Overall ongoing growth of the software supply chain, as well as an increase in dependency usage and releases.

  • Worrying trends around attacks and slow patching.

  • Better dependency management and remediation.

  • The importance of code review.

  • What the data tells us is really happening in open source and software development.

Screencapture of presentation slide with perception: "open source is risky" vs. reality "OSS can almost always be secure"

Slide from Stephen’s presentation detailing one of our key insights.

Stephen digs into research methods, data sources, and shares his own insights on the various methods for evaluating projects, including OpenSSF Scorecard and the Sonatype Safety Rating.

He also distills what we've learned in this year's report in terms of best practices for the industry. Suggestions based on the report are available for development teams, including what hard questions to ask about your organization.

Webinar video thumbnail


Picture of Luke Mcbride

Written by Luke Mcbride

Luke is a writer at Sonatype covering everything from open source licenses and liability to DevSecOps trends and container security.