2019 State of the Software Supply Chain Report Reveals Best Practices From 36,000 Open Source Software Development Teams

   

An additional study of 12,000 commercial software engineering teams identified key characteristics of exemplary secure coding practices

LONDON – DevOps Enterprise Summit - June 25, 2019 -- Sonatype today released its fifth annual State of the Software Supply Chain Report. This year’s report reveals the best practices exhibited by exemplary open source software projects and commercial application development teams. As in years past, it also examines the rapidly expanding supply and continued exponential growth in consumption of open source components.

For the fifth anniversary report, Sonatype collaborated with Gene Kim from IT Revolution, and Dr. Stephen Magill from Galois and MuseDev.  Together with Sonatype, the researchers objectively examined and empirically documented release patterns and cybersecurity hygiene practices across 36,000 open source project teams and 3.7 million open source component releases.  This year’s report identifies the top 1229 individual projects, that demonstrated the following attributes:

  • 18x faster at updating dependencies
  • 6.8x better at releasing components where all dependencies are up to date
  • 3.4x faster at remediating vulnerabilities 
  • 6x more popular 
  • 2x more frequent with their component releases 
  • 33% larger development team size
  • 4x more likely to be managed by open source foundations than by commercial stewards

The researchers also studied 12,000 commercial engineering teams and surveyed more than 6,200 developers.  Their findings demonstrated that exemplary development teams were:

  • 2.6x less likely to consider updating vulnerable components to be “painful”.
  • 11x more likely to use some process to add a new dependency (e.g., evaluate, approve, standardize, etc.)
  • 9.3x more likely to have a process to proactively remove problematic or unused dependencies
  • 12x more likely to have automated tools to track, manage, and/or ensure policy. compliance of dependencies
  • 6.2x more likely to use the latest version (or latest-N) of all of their dependencies.

“We have long advised organizations that they should rely on the fewest open source components suppliers with the best track records in order to develop the highest quality and lowest risk software,'' said Wayne Jackson, CEO of Sonatype. “For organizations who tame their software supply chains through better supplier choices, component selection, and use of automation, the rewards revealed in this year’s report are impressive.  Use of known vulnerable component releases were reduced by 55%.”

"It was a privilege to be part of this research effort to better understand the health and habits of the open source component ecosystem, where we could study all the Java artifacts stored in The Central Repository, which some of us know as 'Maven Central,'" said Gene Kim, Author, Researcher, and Founder of IT Revolution. "It was incredible to explore how exemplars achieve better outcomes (quality, security, popularity), and what factors correlated with them, such as team size, release frequency, number of dependencies, their strategy to update them, and many more."

“My favorite part of this study was seeing both the general trends and the outliers.  It’s great to see that projects are maintaining a high standard of quality across dimensions of team size, update frequency, foundation support, and number of dependencies.  And yet there are clear trends. High performers are more likely to be foundation supported, and projects with many dependencies tend to be driven by larger teams,” said Dr. Stephen Magill, Principal Scientist at Galois & CEO of MuseDev.

“The bravest and smartest thing you can do in open source is look the gift horse in the mouth.  You're not being given a gift, you're being given a technical debt,” said David Blevins, founder and CEO of Tomitribe. “ We are Exemplar creators of open source, because we are exemplary consumers. We understand just because we didn't write the code, we will still own the debt and act accordingly.”

About the State of the Software Supply Chain Report

The 2019  State of the Software Supply Chain Report blends a broad set of public and proprietary data with expert research and analysis to identify exemplary software development practices. This year’s report was produced in collaboration with Gene Kim of IT Revolution and Dr. Stephen Magill of Galois and CEO of MuseDev. Findings in the report stem from analysis of 36,000 open source project teams, 3.7 million open source releases, 12,000 commercial engineering teams and two surveys - with a combined participation of over 6,200 development professionals.  

Additional Resources

About Sonatype

More than 10 million software developers rely on Sonatype to innovate faster while mitigating security risks inherent in open source.  Sonatype’s Nexus platform combines in-depth component intelligence with real-time remediation guidance to automate and scale open source governance across every stage of the modern DevOps pipeline.  Sonatype is privately held with investments from TPG, Goldman Sachs, Accel Partners, and Hummer Winblad Venture Partners. Learn more at www.sonatype.com.