2020 State of the Software Supply Chain Report Released; Sonatype Reveals New Speed and Security Benchmarks


Study shows high performance engineering teams release 15x more often and remediate open source vulnerabilities 26x faster

Fulton, Md. - August 12, 2020 -- Sonatype, the company that scales DevOps through open source governance and software supply chain automation, today released its sixth annual State of the Software Supply Chain Report

For the second year in a row, Sonatype partnered with researchers Gene Kim from IT Revolution and Dr. Stephen Magill, CEO at MuseDev to examine how high performing teams successfully demonstrate superior risk management outcomes while maintaining high levels of productivity.

The report analyzes over 1.5 trillion open source download requests, 24,000 open source projects, and 5,600 enterprise development teams.  Furthermore, in-depth survey research across a wide variety of organizations identified four types of software engineering teams with markedly different levels of performance as it relates to software supply management practices and open source governance.

  • High Performance Teams: high productivity, great risk management outcomes 
  • Security First Teams: low productivity, great risk management outcomes 
  • Productivity First Teams: high productivity, poor risk management outcomes 
  • Low Performers Teams: low productivity, poor risk management outcomes 

When compared to their Low Performer peers, High Performers demonstrated:

  • 15x higher deployment frequency
  • 26x faster detection and remediation of vulnerable OSS components
  • 5.7x less time required for developers to be productivity when switching teams
  • 1.5x more likely for employees to recommend their organizations as a great place to work

When compared to Security First teams, High Performers were:

  • 59% more likely to be using software composition analysis (SCA) tools
  • 28% more likely to enforce governance policies in Continuous Integration (CI)
  • 56% more likely to have centrally-managed CI infrastructure
  • 51% more likely to maintain a centralized record of SBOMs for applications

“Many have argued that effective risk management practices are always at the expense of developer productivity, but this year’s report provides strong evidence to the contrary. Faster innovation and better risk management are not mutually exclusive,” said Wayne Jackson, CEO of Sonatype. “High Performance engineering teams are accelerating velocity while simultaneously reducing security risks. Adding to these successful business outcomes, developers in High Performance teams demonstrate higher levels of job satisfaction.”

The report also evaluated 24,000 open source projects to determine practices of the top-performing suppliers feeding components into software supply chains. Researchers found exemplary OSS projects demonstrated:

  • 530x faster mean time to update (MTTU) dependencies 
  • 1.5x more frequent releases
  • 2.5x greater popularity 
  • 173x less likely to have at least one dependency out of date

“We found that high performers are able to simultaneously achieve security and productivity objectives,” said Gene Kim, DevOps researcher and author of the WSJ bestselling book, The Unicorn Project.  “It’s fantastic to gain a better understanding of the principles and practices of how this is achieved, as well as their measurable outcomes.”

“It was really exciting to find so much evidence that this much-discussed tradeoff between security and productivity is really a false dichotomy. With the right culture, workflow, and tools development teams can achieve great security and compliance outcomes together with class-leading productivity,” said Dr. Stephen Magill, Principal Scientist at Galois & CEO of MuseDev.

The study also reveals new milestones in open source software development, adversarial activity, and government influence, including:

  • 430% increase in next generation software supply chain attacks over the past year (page 6)
  • 373,000 average downloads of open source component per company, of which 8.3% were known vulnerable (page 33)
  • U.S., U.K., and Australian government initiatives designed to protect software supply chains and strengthen the foundations of open source (see page 35 )

About the State of the Software Supply Chain Report

The 2020 State of the Software Supply Chain Report blends a broad set of public and proprietary data with expert research and analysis to identify exemplary software development practices. Now in its sixth year, it is the longest-running research on open source software development and application security practices of its kind.

Additional Resources

About Sonatype

Sonatype is the leader in software supply chain automation technology with more than 350 employees, over 1,000 enterprise customers, and is trusted by more than 10 million software developers. Sonatype’s Nexus platform enables DevOps teams and developers to automatically integrate security at every stage of the modern development pipeline by combining in-depth component intelligence with real-time remediation guidance. For more information, please visit Sonatype.com, or connect with us on Facebook, Twitter, or LinkedIn.

Media Contact

In the US: Mission North for Sonatype


In the UK: Babel PR for Sonatype