Now in its seventh year, Sonatype’s 2021 State of the Software Supply Chain Report blends a broad set of public and proprietary data to reveal important findings about open source and its increasingly important role in digital innovation.
Components that consistently react quickly to dependency upgrades will have low MTTU. Components that either consistently react slowly or have high variance in their reaction time will have higher MTTU.
Suppose we have a component A with dependencies B and C, both at version 1.2. Suppose B and C each release a new version (1.3) and some time later A releases a new version that bumps the version of B and C to 1.3. The time between the release of B version 1.3 and the release of A version 1.3 is the Time To Upgrade (TTU) for A’s migration to B version 1.3 (and similarly for A’s adoption of C version 1.3). The average of all these upgrade times is then the MTTU.
Suppose a project A includes a dependency B, and B has a vulnerability disclosed at date D1. Then A updates the version of B it’s using on date D2. Time to Remediate (TTR) is then the time between D1 and D2 measured in days, and MTTR is the average TTR for a project across all disclosed security vulnerabilities.
While MTTU does not directly measure the speed at which projects fix publicly disclosed vulnerabilities, it does correlate to a project’s mean time to remediate (MTTR), which is the time required to update dependencies that have published vulnerabilities. Thus, we consider MTTU to be the best metric available to determine the impact a component will have on the security of projects that incorporate it.
The chart below provides a visual summary of herd migration behavior over the past year associated with spring-core, a single component within the highly popular spring-framework. The y-axis shows the past 52 weeks of upgrade activity, with the top row representing herd migration decisions made one year ago, and the bottom row representing herd migration decisions made during the most recent week. The x-axis represents the 150 most recent versions with older versions to the left, and newer versions to the right. View key observations by clicking on the dots below.
The most recent release (5.3.x) of spring-core releases approximately every 4 weeks.
The project is actively maintaining these 2 releases. Darker shading indicates the majority of the community is using these releases.
The project is no longer actively supporting these releases. Teams should migrate away from these stale versions.
Laggards continue to update to older, unsupported, and even vulnerable versions.
Older versions are vulnerable, and older non vulnerable versions (4.3.15+) will inevitably be subject to new vulnerability disclosures.
The community generally avoids .0 releases and pre-releases.
Don’t choose an alpha, beta, milestone, release candidate, etc. version.
.png?width=68&height=88&name=Vector%20(1).png)
Don’t upgrade to a vulnerable version.
.png?width=71&height=46&name=Vector%20(2).png){kind=small}
Upgrade to a lower risk severity if your current version is vulnerable.
.png?width=83&height=61&name=Vector%20(3).png)
When a component is published twice in close succession, choose the later version.
.png?width=71&height=96&name=Vector%20(4).png)
Choose a migration path (from version to version) others have chosen.
.png?width=69&height=82&name=Vector%20(5).png)
Choose a version that minimizes breaking code changes.
.png?width=79&height=74&name=Vector%20(6).png)
Choose a version that the majority of the population is using.
.png?width=80&height=80&name=Vector%20(7).png)
If all else is tied, choose the newest version.
Intelligent automation that standardizes engineering teams on exemplary open source projects could remove 1.6M hours and $240M of real world waste spread across our sample of 100,000 production applications. Extrapolated out to the entire software industry, the associated savings would be billions.
The bleeding edge is dangerous. The near edge is optimal. When analyzing herd migration behavior around dependency management practices, we observed three distinct patterns of team behavior: Teams living in disarray, teams living on the edge, and teams living close to the edge.
Developers working on these teams lack automated guidance. They update dependencies infrequently. When they do update dependencies, they utilize gut instincts and commonly make suboptimal decisions. This approach to dependency management is highly reactive, not scalable, and leads to stale software and increased security risk.
Developers working on these teams have the benefit of intelligent and contextual automation. Dependencies are automatically recommended for updating, but only when optimal. This type of intelligent automation keeps software fresh without inadvertently introducing wasted effort or increased security risks. This approach is proactive, scalable, and optimal in terms of cost efficiency and quality outcomes.
Developers working on these teams have the benefit of simplistic, but non contextual, automation. Dependencies are automatically updated to the latest version, whether optimal or not. Such automation helps to keep software fresh, but it can inadvertently lead to increased security risks and higher costs associated with unnecessary updates and broken builds. This approach is proactive and scalable, but not optimal in terms of costs or outcomes.
Subjectively, survey respondents report they are doing a good job remediating defective components and indicate that they understand where supply chain risk resides. Objectively, research shows development teams lack structured guidance and frequently make suboptimal decisions with respect to software supply chain management.
We plotted all survey responses against the five different stages of software supply chain maturity and found that the majority of respondents were graded less than the “Control” level - which is deemed the point at which an organization transitions from “figuring it out” to a minimal level of maturity that will enable high quality outcomes.
Click on the dots to the right for additional insights.
In May 2021, President Biden signed the Executive Order on Improving the Nation’s Cybersecurity, which has been heralded as a milestone for the U.S. government at a time when cyber espionage and nation-state attacks on critical infrastructure are reaching crisis proportions.
The U.K. government announced that it was seeking advice on defending against digital supply chain attacks from organizations that either consume IT services, or MSPs that provide software and services.
.png)
Germany passed the Information Technology Security Act 2.0 as an update to the First Act to “increase cyber and information security against the backdrop of increasingly frequent and complex cyber-attacks and the continued digitalisation of everyday life.”
.png)
The European Union Agency for Cybersecurity (ENISA) released a July 2021 report titled “Understanding the increase in Supply Chain Security Attacks.” The report reviewed 24 different software supply chain attacks and shared recommendations that organizations should put in place to protect themselves against attacks.
