www.sonatype.com Open in urlscan Pro
2606:2c40::c73c:67e4  Public Scan

Form analysis
0 forms found in the DOM

Text Content

8th Annual State of the Software Supply Chain presented by Sonatype
Download the Report Introduction Open Source Supply, Demand, and Security
Project Quality Metrics Open Source Dependency Management: Trends and
Recommendations Software Supply Chain Maturity Establishment and Expansion of
Software Supply Chain Regulation and Standards
VIEW PREVIOUS REPORTS

 * 7th Annual Report: 2021
 * 6th Annual Report: 2020
 * 5th Annual Report: 2019
 * 4th Annual Report: 2018
 * 3rd Annual Report: 2017
 * 2nd Annual Report: 2016
 * 1st Annual Report: 2015

Facebook Linkedin Twitter
VIEW PREVIOUS REPORTS

 * 7th Annual Report: 2021
 * 6th Annual Report: 2020
 * 5th Annual Report: 2019
 * 4th Annual Report: 2018
 * 3rd Annual Report: 2017
 * 2nd Annual Report: 2016
 * 1st Annual Report: 2015

8th Annual State of the Software Supply Chain presented by Sonatype
Jump to section
 * SSC Regulation
 * Foreword


8TH ANNUAL STATE OF THE SOFTWARE SUPPLY CHAIN

8th Annual


STATE

of
the


SOFTWARE


SUPPLY CHAIN

Sonatype’s industry-defining research on the rapidly changing landscape of open
source with a foreword by the Linux Foundation.
Download the Report  
Scroll down

What follows is our 8th Annual State of the Software Supply Chain report, which
analyzes how software is developed, the industry's reliance on open source
software, and the good and bad of that dependence. With this in-depth research,
we hope to provide not just understanding of today’s software development
lifecycle, but recommended changes that can make software supply chains more
secure, and the lives of developers easier.

As in year’s past, this year saw tremendous growth in demand for open source, as
well as the need for effective management. We’ve hit an inflection point, and
development teams must address software supply chain attacks and select better
open source projects. We also look at current software development best
practices, how developers perceive themselves versus performance, and the
widespread benefits of improved morale.

Likely the most serious development this year is an approaching collision of two
critical issues in our industry: the continued growth of open source security
concerns along with a dramatic legislative response by governments worldwide.


REGULATION COMES TO THE SOFTWARE SUPPLY CHAIN

On January 1, 1968, Title 49 of the United States Code Motor Safety Standard
went into effect. This law requires all vehicles, not including buses, to be fit
with seat belts for all designated seating positions in the vehicle. State laws
requiring mandatory usage would soon follow.

Today most of us wouldn't think twice about buckling up—even for a trip around
the block. The idea of preemptive safety has been instilled in us, but it took
some time for us to appreciate the necessity. Now it is common practice.

In every facet of life in the developed world, our lives are blanketed with
regulations that aim to remove risk from an increasingly technical world. Speed
limits, stock trading requirements, stringent controls over pilot hours in the
skies, et al. And we generally observe these safety measures as they have, for
the most part, become habit-forming, and we accept the idea that they are good
for us.

There has been an astonishing
0
average annual increase in Software Supply Chain attacks over the past 3 years.
Key Finding
About
6 out of every 7
project vulnerabilities come from transitive dependencies.
Key Finding
"More mature software supply chain management equates to more job satisfaction."
Key Finding
1.2 billion vulnerable dependencies
are downloaded each month.
Key Finding
0
of known-vulnerable open source downloads are avoidable
Key Finding


WHAT WOULD IT MEAN TO BUCKLE UP IN SOFTWARE DEVELOPMENT?

We are in year two of the Presidential Executive Order put forth in the United
States addressing the software supply chain in the areas of cybersecurity—aiming
to reduce risk. Other countries have followed suit. Later in the report, you'll
note there are several new developments worldwide in 2022 spawned by the initial
Executive Order. Japan for example, hosted the Open Source Security Summit in
August 2022, and the European Union has put forth proposed legislation with the
Cyber Resilience Act in September 2022.

While designed to reduce risk and secure software supply chains, these
developments don't yet come with mandatory enforcement. As such, enterprises and
developer methodologies vary remarkably, as do outcomes.

Indeed, applying a best practices construct versus a casual approach yields
dramatic differences regarding how software supply chains are secured. This
edition of the State of the Software Supply Chain Report reflects the symbiotic
nature of good practices and good outcomes and the counter—poor practices and
poor outcomes. The inspiration for the report was and continues to be to provoke
developer level software supply chain practices that improve how we can and
should work to create positive outcomes and fulfilling work experiences.

We continue to draw from public and proprietary data sources to illustrate a
host of issues with effective supply chain management. We'll look at:

 * Ongoing growth of the software supply chain, as well as persistent security
   concerns
 * Insights on choosing the best dependencies for your projects
 * Developer behavior and recommendations
 * A look at enlightened supply chain management and perception versus reality
   for maturity
 * Current and upcoming regulation status on an International level

This report is a look into data-backed methodologies in the open source
ecosystem and the impact on the software supply chain. Enjoy the read and buckle
up!


FOREWORD

Enhancing software supply chain security is a priority issue for the open source
community. Recent exploitations, from Log4j to crypto heists tied to open source
repositories, have proven costly, not only in financial terms, but in terms of
loss of trust. At the Linux Foundation (LF), we've engaged stakeholders across
the open source ecosystem to build more trusted software supply chains,
understanding that only through a coordinated effort to implement security best
practices can we create the necessary foundations for more secure software. And
within this landscape, Sonatype has been a reliable and trusted partner.

Among the important security initiatives at the LF include the formation of the
Open Source Security Foundation, the hosting of recent Open Source Security
Summits in North America, Europe, and Japan, the creation of free
security-related training courses, such as how to use Sigstore and SLSA levels
to secure software supply chains, as well as the engagement of executive leaders
in government and enterprise. And in pursuing further research, highlighted by
the formation of LF Research as a capability in 2021, we're actively engaged in
supporting coordinated open source software security efforts through trusted
data generation.

Current research on open source - including measuring supply and demand,
identifying trends in contribution levels, and exploring security-related
challenges and readiness - is a sought-after resource for the formation of open
source strategy and guiding the implementation of best practices. Organizations
like Sonatype are leading the much-needed empirical research effort to help
answer critical questions around open source trends at a broad level, with an
increasing focus on security. Recent research from the LF identifies the most
widely used software applications (with the Laboratory of Innovation Science at
Harvard), explores software bill of materials (SBOM) readiness, identifies gaps
in organizational software development practices, and uncovers challenges facing
the maintainer and committer community. And in the process of producing
research, we know we can't operate on our own. It takes a community to build
data-driven insights—the type that encourages development teams to apply sound
and secure methodologies.

Sonatype's annual research reports are a vital part of the open source data and
insights landscape, and this year's report is no exception. New data on
dependency management, standards adoption, velocity, and yes - the efficacy of
security metrics - including the Open Source Security Foundation Scorecard, will
guide decision makers with increasing confidence. Sonatype's 8th Annual State of
the Software Supply Chain is an important resource that will inform high-impact
actions across the ecosystem, and empower all facets of the open source
community to reach consensus on important issues. We at the Linux Foundation
wholeheartedly support this work.

Hilary Carter
VP Research
The Linux Foundation

UP NEXT


OPEN SOURCE SUPPLY, DEMAND, AND SECURITY

Open Source Supply, Demand, and Security
Copyright © 2008-present, Sonatype Inc.
All rights reserved.
Terms of Service Privacy Policy About the Report