Sonatype’s 2020 State of the Software Supply Chain Report Finds 430% Increase in Next Generation Open Source Cyber Attacks


Study also finds 51% of organizations require more than a week to remediate new zero day vulnerabilities

Fulton, Md. - August 12, 2020 -- Sonatype, the company that scales DevOps through open source governance and software supply chain automation, today released its sixth annual State of the Software Supply Chain Report. This year’s report found a massive 430% surge in next generation cyber attacks aimed at actively infiltrating open source software supply chains.  

Rise of Next-Gen Software Supply Chain Attacks

According to the report, 929 next generation software supply chain attacks were recorded from July 2019 through May 2020. By comparison 216 such attacks were recorded in the four years between February 2015 and June 2019.

The difference between “next generation” and “legacy” software supply chain attacks is simple but important: next generation attacks like Octopus Scanner and electron-native-notify are strategic and involve bad actors intentionally targeting and surreptitiously compromising “upstream” open source projects so they can subsequently exploit vulnerabilities when they inevitably flow “downstream” into the wild.  Conversely, legacy software supply chain attacks like Equifax are tactical and involve bad actors waiting for new zero day vulnerabilities to be publicly disclosed and then racing to take advantage in the wild before others can remediate.

“Following the notorious Equifax breach of 2017, enterprises significantly ramped investments to prevent similar attacks on open source software supply chains,” said Wayne Jackson CEO at Sonatype. “Our research shows that commercial engineering teams are getting faster in their ability to respond to new zero day vulnerabilities. Therefore, it should come as no surprise that next generation supply chain attacks have increased 430% as adversaries are shifting their activities ‘upstream’ where they can infect a single open source component that has the potential to be distributed ‘downstream” where it can be strategically and covertly exploited.”

Speed Remains Critical When Responding to Legacy Software Supply Chain Attacks

According to the report, enterprise software development teams differ in their response times to vulnerabilities in open source software components:

  • 47% of organizations became aware of new open source vulnerabilities after a week; and
  • 51% of organizations took more than a week to remediate the open source vulnerabilities

For the second year in a row, Sonatype also partnered with researchers Gene Kim from IT Revolution and Dr. Stephen Magill, CEO at MuseDev to examine how high performing teams successfully demonstrate superior risk management outcomes while maintaining high levels of productivity. The researchers discovered that not all organizations prioritize improved risk management practices at the expense of developer productivity. This year’s report reveals that high performing development teams are 26x faster at detecting and remediating open source vulnerabilities, and deploy changes to code 15x more frequently than their peers. High performers are also:

  • 59% more likely to be using automated software composition analysis (SCA) to detect and remediate known vulnerable OSS components across the SDLC
  • 51% more likely to centrally maintain a software bill of materials (SBOMs) for applications
  • 4.9x more likely to successfully update dependencies and fix vulnerabilities without breakage
  • 33x more likely to be confident that OSS dependencies are secure (i.e., no known vulnerabilities)

Additional findings from the report include:

  • 1.5 trillion component download requests projected in 2020 across all major open source ecosystems (see page 13)
  • 10% of java OSS component downloads by developers had known security vulnerabilities  (see page 32)
  • 11% of open source components developers build into their applications are known vulnerable, with 38 vulnerabilities discovered on average (see page 34)
  • 40% of npm packages contain dependencies with known vulnerabilities (see page 32)
  • New open source zero-day vulnerabilities are exploited in the wild within 3 days of public disclosure (see page 11)
  • The average enterprise sources code from 3,500 OSS projects including over 11,000 component releases  (see page 33)

“We found that high performers are able to simultaneously achieve security and productivity objectives,” said Gene Kim, DevOps researcher and author of the WSJ bestselling book, The Unicorn Project.  “It’s fantastic to gain a better understanding of the principles and practices of how this is achieved, as well as their measurable outcomes.”

“It was really exciting to find so much evidence that this much-discussed tradeoff between security and productivity is really a false dichotomy. With the right culture, workflow, and tools development teams can achieve great security and compliance outcomes together with class-leading productivity,” said Dr. Stephen Magill, Principal Scientist at Galois & CEO of MuseDev.

About the State of the Software Supply Chain Report

This year’s report blends a broad set of public and proprietary data and analysis, including survey results from over 5,600 software developers, the evaluation of 24,000 open source projects, and the assessment of 15,000 development organizations. For the second year in a row, Sonatype partnered with researchers Gene Kim from IT Revolution and Dr. Stephen Magill, CEO at MuseDev, to understand how high performing development teams deliver better risk management outcomes while simultaneously improving productivity.

Additional Resources

About Sonatype

Sonatype is the leader in software supply chain automation technology with more than 350 employees, over 1,000 enterprise customers, and is trusted by more than 10 million software developers. Sonatype’s Nexus platform enables DevOps teams and developers to automatically integrate security at every stage of the modern development pipeline by combining in-depth component intelligence with real-time remediation guidance. For more information, please visit, or connect with us on Facebook, Twitter, or LinkedIn.

Media Contact

In the US: Mission North for Sonatype

In the UK: Babel PR for Sonatype