Research: Usage of defective open source components has declined 63%

Sonatype has released its third annual State of the Software Supply Chain report. This report highlights safety concerns related to usage of open source components and their impacts on the software supply chain.

Organisations that are vigilant about the quality of open source components entering into the production applications are realising a 28% improvement in developer productivity, a 30% reduction in overall development costs, and a 48% increase in application quality. It also noted a 63% decline in the number of defective components built by teams that used automated governance tools. On the contrary, unvigilant organisations are at risk of wasting time on rework and bug fixes as well as facing liabilities around gross negligence.

Consumption of open source components is growing on a massive scale, with Java component downloads increasing 68%, JavaScript downloads increasing 262% and demand for Docker components expected to grow 100%. High-functioning DevOps organisations use machine automation to ascertain the quality of open source components operating in their supply chains. On gaining knowledge about vulnerabilities, open source component suppliers are slow to remediate on them, taking about 233 days to do so and only 15.8% actively fixing them. Downloads of components known for having vulnerabilities is slightly decreasing leading to improved hygiene in the software supply chain. For example, downloads of Java components containing known security vulnerabilities reduced to 5.5% from the previous year.

The regulatory landscape is rapidly changing, with the US, the White House, four federal agencies, and the automotive industry releasing new guidelines to improve the quality, safety, and security of software supply chains in the past year.

Wayne Jackson, CEO, Sonatype, said: “Companies are no longer building software applications from scratch, they are manufacturing them as fast as they can using an infinite supply of open source component parts. However, many still rely on manual and time-consuming governance and security practices instead of embracing DevOps-native automation. Our research continues to show that development teams managing trusted software supply chains are dramatically improving quality and productivity.”

Mark Driver, Felix Gaehtgens, Mark O’Neill, Gartner, said: “By 2020, 50% of organisations will have suffered damage caused by failing to manage trust in their, or their partners’, SDLC – causing revenue loss of more than 15%. Application leaders responsible for modernizing application development should re-evaluate the SDLC in the form of a trusted software supply chain, with varied levels of trust.”

Are you surprised at the results of the research? Share your thoughts in the comments.

Related Stories

Leave a comment


This will only be used to quickly provide signup information and will not allow us to post to your account or appear on your timeline.