In today's fast-paced world, the pursuit of excellence is a relentless journey. We all understand the significance of innovation, efficiency, and the individuals at the core of it all: developers. From our past eight State of the Software Supply Chain reports, we know that developer productivity soars when they have access to superior tools and better open source components, making them the driving force behind better security and better products.
But what exactly does "better" mean in the ever-expanding landscape of technology choices? This question, in part, is the reason we’ve been studying the software supply chain for the last nine years. As we deliver the 9th version of this State of the Software Supply Chain report, that question is more paramount than ever. As we explore how to make “better” software, it’s not just about the introduction of AI or cutting-edge technologies. It's about addressing fundamental issues that, in many ways, have not changed in nine years. It's about the often-overlooked, yet vital, element that lies within our software supply chain: open source consumption behavior.
We sift through the labyrinthine market of software components, not to add to the cacophony of choices but to streamline it. Why? Because choice is a double-edged sword. The consequences of choosing poorly are far-reaching.
Consider this: last year, we revealed that a staggering 85% of projects in Maven Central—the largest public repository for Java open source components—are inactive. In other words, developers are faced with a perplexing array of choices, with only a fraction of them leading to active, well-maintained projects. Yet, we also found, and re-affirmed this year, that 96% of all vulnerable downloads from Maven Central, had known fixes available. There are so many choices to make, and only with the right tools, the right automation, can developers truly be set up for success.
As we dissect the intricacies of open source adoption and consumption, we validate a frustrating truth—development practices remain rife with inconsistency. When choices are made poorly, this inconsistency translates into increased risks, discontent among developers, and, perhaps most significantly, a loss of both time and money. This year we found:
1 in 8
open source downloads have known risk
superior versions of components are typically available for every nonoptimal component upgrade made
of survey respondents feel confident that their applications do not rely on known vulnerable libraries, despite 10% of respondents reporting their organizations had security breaches due to open source vulnerabilities in the last 12 months
malicious packages discovered — 2X all previous years combined
of vulnerable downloaded releases had a fixed version available
Good data saves you twice as much time in solving component upgrades and high-risk vulnerability production
increase in the adoption AI and ML components within corporate environments over the last year
The State of the Software Supply Chain report each year isn't just a cautionary tale, but a call to action. It is a response to the pressing need to redefine our priorities and a testament to our willingness to evolve. We find ourselves in a period of revolution. Modernization is our ally. With regulations becoming a focus in nearly every region, an uncertain economic climate demanding cost savings and efficiencies, and malicious activity more prominent than ever, it’s time for change.
In the following pages, we provide you with an in-depth update on open source usage trends and security practices. We continue to draw from public and proprietary data sources to illustrate a host of issues with effective supply chain management. We'll look at the following:
- Ongoing growth of the software supply chain, as well as persistent security concerns
- The advantages of using well-maintained open source packages
- Open source consumption and trends in upgrade urgency of components
- Peer insights into the use of software bills of materials (SBOMs) and mature software supply chain management
- The rise of open source and software supply chain regulations
- What role AI and ML play in assisting developers, and the challenges that AI practitioners face in developing AI products
We also look at what it really means to have SBOMs and a Software Composition Analysis (SCA) program, and ultimately shed light on the path to a more efficient, cost-effective, and secure development.