Sonatype’s 2018 State of the Software Supply Chain Report Reveals Use of Vulnerable Open Source Increased 120%, Despite Equifax Breach


New data shows managed software supply chains are 2X more efficient and 2X more secure

FULTON, MD - September 25, 2018 - Sonatype today released its fourth annual State of the Software Supply Chain Report which found that software developers downloaded more than 300 billion open source components in the past 12 months, and that 1 in 8 of those components contained known security vulnerabilities.

The comprehensive benchmark report incorporates a combination of public and proprietary data to examine patterns and practices underpinning open source software development and modern software supply chains.  Key findings in this year’s report include:

  • Managed software supply chains are 2X more efficient and 2X more secure
    • Automated OSS security practices reduce the presence of vulnerabilities by 50%
    • DevOps teams are 90% more likely to comply with open source governance when security policies are automated
  • The window to respond to vulnerabilities is shrinking rapidly
    • Over the past decade, the meantime to exploit security vulnerabilities in the wild has compressed by 93.5% - or 4-fold, going from an average of 45 days to just 3
  • Hackers are beginning to assault software supply chains
    • Over the last 18 months, a series of no less than 11 events triangulate a serious escalation of attacks on software supply chains
    • These assaults, which include hackers injecting vulnerabilities directly into open source releases, represent a new front in the battle to secure software applications
  • Industry lacks meaningful open source controls
    • 1.3 million vulnerabilities in OSS components do not have a corresponding CVE advisory in the public NVD database
    • 62% of organizations admitted to not having meaningful controls over what OSS components are used in their applications
  • Governments are stepping in, as enterprises struggle to self-regulate
    • 19 different governmental organizations around the world have called for improved OSS security and governance
  • Supply, and demand for, open source shows no sign of slowing down
    • More than 15,000 new or updated open source releases are made available to developers every day
    • The average enterprise downloaded 170,000 Java components in 2017, up 36% year over year

Supporting Quotes:

Wayne Jackson, CEO, Sonatype

“As open source accelerates to its zenith of value, the underlying fundamentals of the ecosystem and the infrastructure supporting it, are increasingly at risk. A series of high profile and devastating cyber attacks last year demonstrated the intent and ability to exploit security vulnerabilities in software supply chains. This year’s report proves, however, that secure software development isn’t out of reach. The application economy can grow and prosper in regulated, secure environments, if managed properly.”

Gene Kim, Researcher and co-author of “The Phoenix Project,” “The DevOps Handbook,” and “Accelerate”

“We live in an age where the majority of the software we deliver is not written by us — instead, we rely on a huge and sprawling software supply chain of open source components. As valuable as open source software has become, there is a significant and hidden economic cost of using these software dependencies. One of the most telling indicators is that some of the highest-profile security breaches in the last year were due to not using the most current component versions, which enabled software vulnerabilities to be exploited to devastating effect. This report shows how critical the open source component ecosystem is to all of us, and the wide variance in practice in both the producers and consumers of open source software.”

Kevin E. Greene, Principal Software Assurance Engineer, The MITRE Corporation

“We are seeing more breaches in open source software because of the gravitational force that pulls features, complexity, and technical debt towards a software system over time, which make it very difficult to patch in a timely fashion  Unfortunately, that hasn’t changed the consumption rate of open source software by developers. This is consistent with what I believe is a growing concern…that developers may have surrendered to the idea that all software is vulnerable and have known vulnerabilities.   We must give developers better supply chain options where quality and security are intrinsically designed-in.”

DJ Schleen, Security Architect and DevSecOps Idealist, Fortune 50 Insurance Corporation

"Only a decade ago, you'd look under the hood of the software your business buys and see a black box.  Today we have the opportunity to open the hood to see the engine and all of its parts. Consumers and high performing DevOps organizations alike should not accept the risks of having known vulnerable open source components in their products. While new regulations begin to address the problem, this is one that good corporate citizens should have taken care of themselves.”

Hasan Yasar, Technical Manager and Adjunct Faculty Member, Carnegie Mellon University

"In 476 B.C. Master Sun (The Art of War, Sunzi Sun Tzu) said “know yourself, know your enemy and you shall win a hundred battles without loss.” The same is true when it comes to software development in 2018. If we know what we have in our code - including OSS - (ourselves) and know where vulnerabilities are (our enemy), then we can create secure software. As the use case for OSS only gets stronger, this year’s State of the Software Supply Chain Report once again shows that OSS vulnerabilities are growing exponentially. We can not simply ignore the problem anymore, we must know the enemy in order to defeat it.”

Scott Crawford, Research Director - Information Security, 451 Research

“As with any technology, open source software (OSS) components deliver many unique advantages.  They also come with their own set of risks: licensing issues and exposure to known security vulnerabilities are two of the best known. Before an organization can assess these exposures, an accurate and up-to-date inventory of OSS components is required. This year’s State of the Software Supply Chain report shows that too many organizations are still failing at this most basic line of cyber hygiene. In fact, more that 62% admitted to not having meaningful controls over what OSS components are used in their applications.”

About the State of the Software Supply Chain Report

The 2018  State of the Software Supply Chain Report blends a broad set of public and proprietary data with expert research and analysis. This year’s report highlights new methods cybercriminals are employing to infiltrate software supply chains, offers expanded analysis across languages and ecosystems, and more deeply explores how government regulations are likely to impact the future of software development.

Additional Resources

About Sonatype

More than 10 million software developers rely on Sonatype to innovate faster while mitigating security risks inherent in open source.  Sonatype’s Nexus platform combines in-depth component intelligence with real-time remediation guidance to automate and scale open source governance across every stage of the modern DevOps pipeline.  Sonatype is privately held with investments from TPG, Goldman Sachs, Accel Partners, and Hummer Winblad Venture Partners. Learn more at