SSC_2020_Cover

 

2020 State of the Software Supply Chain

Read our 6th annual report on open source software development and understand why productivity does not have to come at the cost of reduced security.

SSC_2020_Cover

 

2020 State of the Software Supply Chain

Read our 6th annual report on open source software development and understand why productivity does not have to come at the cost of reduced security.

The 2020 State of the Software Supply Chain Report blends a broad set of public and proprietary data, along with survey results from over 5,600 professional developers to reveal important findings, including:

  • 430% growth in next-generation cyber attacks actively targeting OSS (Chapter 1)
  • 1.5 trillion OSS component download requests (Chapter 2)
  • 530x faster time to update dependencies for exemplary OSS projects (Chapter 3)
  • 26x faster remediation of vulnerabilities for high performing teams (Chapter 4)
  • 11% of OSS components used in applications have known vulnerabilities (Chapter 5)

For the second year in a row, we’ve collaborated with research partners Gene Kim from IT Revolution and Dr. Stephen Magill, CEO at MuseDev, to examine how high performing enterprise software development teams successfully balance their performance and risk management practices while assembling applications with open source components.

Get Your Copy!
SON_Headshot_Gene_Kim@2x

“It was a privilege to be part of this research effort to better understand the health and habits of the open source component ecosystem, where we could study all the Java artifacts stored in The Central Repository, which some of us know as 'Maven Central,'” said Gene Kim Author, Researcher, and Founder of IT Revolution. “It was incredible to explore how exemplars achieve better outcomes (quality, security, popularity), and what factors correlated with them, such as team size, release frequency, number of dependencies, their strategy to update them, and many more.”

 

Improving outcomes with DevSecOps and automation.

SSC_Page_Chart1

Automation accelerates the demand for open source.

In 2018, download requests for Java components grew 68% year over year to 146 billion. Downloads of npm packages reached 10 billion per week — equating to a 185% year over year.

Average days

The best open source project teams are blue.

Exemplary OSS project teams demonstrate 3.4x faster vulnerability remediation, were 6x more popular, had 33% larger development teams and were 9.3x more likely to have a process to proactively remove problematic dependencies.

55 percent reduction

DevSecOps automation reduces OSS risks.

Organizations automating open source governance as part of a managed software supply chain practice reduced the percentage of vulnerable components used in finished applications by 55%.
Twitter LinkedIn Facebook YouTube GitHub
Products
Free Tools
Solutions
Resources
Customer Portal
Company
SON_logo_white@2x copy trimmed

Sonatype Headquarters - 8161 Maple Lawn Blvd #250, Fulton, MD 20759

Tysons Office - 8281 Greensboro Drive – Suite 630, McLean, VA 22102

Australia Office - 60 Martin Place Level 1, Sydney, NSW 2000, Australia

London Office -168 Shoreditch High Street, E1 6HU London

Subscribe for all the latest software security news and events

Copyright © 2008-present, Sonatype Inc. All rights reserved. Includes the third-party code listed here. Sonatype and Sonatype Nexus are trademarks of Sonatype, Inc. Apache Maven and Maven are trademarks of the Apache Software Foundation. M2Eclipse is a trademark of the Eclipse Foundation. All other trademarks are the property of their respective owners.

Terms of Service    Privacy Policy    Modern Slavery Statement    Event Terms and Conditions   Do Not Sell My Personal Information