2019 State of the Software Supply Chain Report

Following a year of research that delved into 36,000 open source software projects, 3.7 million open source releases and 12,000 enterprise development teams, enterprise software company Sonatype has released their fifth annual State of the Software Supply Chain report.

The company partnered with IT Revolution founder Gene Kim and Dr. Stephen Magill, Muse CEO and Galois principal scientist, to objectively and comprehensively catalog outstanding development practices, particularly in relation to secure coding practices. Sonatype also examined and analyzed the fast-expanding supply and rapidly growing demand for open source components.

Through their research, Sonatype unveiled four key statistics surrounding the growth of open source components and their security improvements:

• Open source component releases have grown by three-quarters in the past two years;
• The number of download requests from the Central Repository has grown 68 percent year-over-year;
• The median time to update dependencies for exemplary open source components has become 18 times faster; and
• The use of vulnerable open source component releases within managed software supply chains has gone down by 55 percent.

One of the main goals of this year’s report was to delve into how enterprise development teams and OSS projects approached and addressed software supply chain security issues in order to create an outline of industry best practices. The Sonatype researchers found that exemplary enterprise development teams universally remediated known vulnerabilities 3.4 times faster than other teams, were 10 times more likely to schedule dependency updates, were 18 times faster at updating dependencies, were 12 times more likely to use automated tools to help manage open source dependencies and—perhaps as a result of the above—experienced a 55 percent reduction in the use of vulnerable OSS components in automated environments.

In short, Sonatype concluded that enterprise development teams that maintained exemplary DevSecOps practices were able to realize patent competitive advantages compared to their peers. This is especially important in light of another statistic that Sonatype uncovered their report: while exemplary development teams are improving security, the number of open source related breaches has grown by a staggering 71 percent over the past five years.