Study of 106,000 Software Development Organizations Reveals That the Way the World Creates Software Is Broken


23% of the Components in the Average Software Application 
Contain Known Vulnerabilities

Fulton, MD – June 17, 2015 – Sonatype today released the results of an extensive study of the software development practices of 106,000 organizations representing 17 billion requests for open source and third party software components from the Central Repository in 2014 alone.  The study revealed that the way the world creates software is broken – with 23% of the components in the average software application containing known vulnerabilities. 

“It’s easier than ever to build complex systems quickly using open source components downloaded from the Internet,” said Gareth Rushgrove, Sr. Software Engineer, Puppet Labs, and Curator of DevOps Weekly.  “But where does that software (and its dependencies) come from? How do you keep it up to date?  And is it introducing a critical security flaw to your application?  The move towards polyglot programming environments makes these issues even more pressing, and the number of third-party components has grown too large to manage in a non-systematic way.”

The 2015 State of the Software Supply Chain Report analyzed the practices of 106,000 organizations building custom software, the hundreds of thousands of suppliers (i.e. open source projects) they relied on, and the billions of parts (i.e. software components) that fueled their agile, continuous delivery and DevOps practices. The findings show that current approaches to software supply chain management are insufficient to keep up with today’s volume.  Applying proven principles from traditional manufacturing supply chains, organizations can benefit tremendously from using the fewest and best suppliers, sourcing the highest quality parts, and improving traceability of parts across their software lifecycle. Software supply chain automation is needed to improve quality, reduce risks, and keep pace with the volume and velocity of consumption.  


  • Businesses are using bad parts to build software and those bad parts are finding their way into many software applications currently on the market

    Of the billions of open source and third party software component downloads in 2014:
    • 6.2% (1 in 16) included a known security vulnerability.  The volume of vulnerable components downloaded increased by 94% over 2013, while the overall volume of downloads increased by only 31% over the same period.
    • A large volume of vulnerable downloads are making their way into applications.  The report reveals that there are 24 known severe or critical vulnerabilities in the average software application, which has a total of 106 components.  Examples of vulnerable components include: a web framework that allows remote attackers to bypass intended security restrictions and execute untrusted code, a broken component that allows remote attackers to cause a denial of service, a broken component that allows encrypted information to be easily unencrypted.
  • Businesses are using an unmanageable number of suppliers, which largely accounts for the vast number of bad parts being used in custom software.   Even when these bad parts are publicly known, companies take far too long to address the problem.
    • Large software and financial services companies are using an average of 7,600 suppliers.   These companies sourced an average of 240,000 software “parts” in 2014, of which 15,000 included known vulnerabilities.  This represents a supplier environment that’s fundamentally impossible to manage without automation for quality controls, a better supplier vetting processes, and producing a software bill of materials.  For reference, Toyota leverages a total of 125 suppliers to build the Prius.
    • Even the Open Source projects supplying these parts have trouble managing their own software supply chain.  The mean time to repair a known vulnerable component used within an open source project is 390 days – if it is fixed at all. 59% of known vulnerabilities on dependencies are still not fixed.
  • Businesses need improved visibility into what’s making its way into their software
    • 60% of businesses do not keep a complete inventory (bill of materials) of components being used in their applications.   This means that the majority of companies have no idea what’s in their software.  They don’t know if they have used “bad” components in their applications.  And in cases where known vulnerabilities are announced, they have no idea if they used the components and if they did, where they might exist in their applications.

“Just as in manufacturing, the effective management of our supply chains will create winners and losers. This will impact the quality of the services we deliver to our customers, as well as our ability to secure and maintain those services,” said Gene Kim, co-author of “The Phoenix Project: A Novel About IT, DevOps, and Helping Your Business Win” and the upcoming “DevOps Cookbook”.   “Anyone who believes, as I do, that we can learn valuable lessons from manufacturing and supply chains on how to better manage technology work will love this report.”

The entire report can be accessed here:

About Sonatype: 
Every day, developers rely on millions of third party and open source building blocks — known as components -- to build the software that runs our world.  Sonatype ensures that only the best components are used throughout the software development lifecycle so that organizations don't have to make the tradeoff between going fast and being secure.  Policy automation, ongoing monitoring and proactive alerts makes it easy to have full visibility and control of components throughout the software supply chain so that applications start secure and remain that way over time.  Sonatype is privately held with investments from New Enterprise Associates (NEA), Accel Partners, Bay Partners, Hummer Winblad Venture Partners and Morgenthaler Ventures.