Protecting the open source software supply chain
- By Amanda Ziadeh
- Jul 22, 2016
What: The 2016 State of the Software Supply Chain report from Sonatype detailing the use of open source components in software.
Why: Because 80 to 90 percent of today’s software applications are made of component parts, and increasingly, open source components, defect rates and security and quality issues abound within the software supply chain. Adopting supply chain automation principles, however, could reduce vulnerabilities.
Findings: The report analyzes 31 billion download requests of open source software components from Sonatype’s Central Repository, a large and active public repository of open source components for the Java development community. It analyzed downloads from 3,000 organizations and the software component of 25,000 applications. The report outlined its four key discoveries:
There is a massive supply of open source components: The number of reusable, open source components is expanding, and the Central Repository shows a massive increase in downloads over time, which increases vulnerability. Software supply chain automation principles can reduce risk and balance speed with quality, security, maintainability and repeatability. Local component warehouses inside the firewall allow managers to monitor the quality of software components and lets teams store components in a private secure location.
Supplier networks are growing rapidly: An analysis of 380,000 open source projects found that components are updated with new releases an average of 14 times a year. Consequently, it’s important for organizations to use trustworthy suppliers with reliable, active and updated repositories.
Not all parts are created equal: The analysis of 25,000 apps revealed that 6.8 percent of components used had known defects, and those between five and seven years old had two times the known security defect rate than those younger than three years. Organizations should standardize on the most recent version of components to decrease defect rates.
Software supply chain management practices are gaining traction: The Federal Trade Commission, the Food and Drug Administration, the Department of Defense, 18F and the National Institute for Standards and Technology are adopting a software bill of materials (BOM), a practice that keeps track of a complete inventory of the component parts used in an application and requires vendors to go through extensive software vulnerability testing.
For example, the FDA studied how to best work with medical device manufacturers to address vulnerabilities in software and expressed the need for software BOM. NIST’s Risk Management Framework for government-built applications requires documenting an inventory of system components similar to a BOM and vulnerability scanning of open source components. DOD also released a publication for the procurement process defining software assurance as the level of confidence that software functions as intended and is free of vulnerabilities.
Takeaway: Government agencies and organizations can reduce the cost of fixing application components, remediating defects or coding from scratch and avoid vulnerabilities with better software supply chain management practices.
Find the full report here.
Amanda Ziadeh is a former reporter/producer for GCN.