In July, Sonatype released their third annual State of the Software Supply Chain report concluding that when organisations actively manage the quality of open source components in software applications they see a 28% improvement in developer productivity (through reduction in manual governance), a 30% reduction in overall development costs, and a 48% increase in application quality (as application vulnerabilities are removed early reducing their incidence in production). Analysis also showed that applications built by teams utilising automated governance tools reduced the percentage of defective components by 63%.
Derek Weeks, VP and DevOps Advocate at Sonatype told InfoQ:
The data comes from a number of different sources; empirical data assessed from Maven Central for Java and Sonatype has indexed other repositories such NPMJS.org (Javascript), the NuGet Gallery (.Net) and PyPi.org (Python). We also research throughout the year, constantly keeping an eye on the market for news and stories about open source components, quality and practices and regulations.
The report also highlighted the growth in consumption of open source components in software development; year-over-year downloads of Java components grew 68% (52 billion in 2016), JavaScript downloads grew 262% (59 billion in 2016), and demand for Docker components is expected to grow by 100% in the next 12 months (12 billion downloads).
Weeks said:
Innovation is king, speed is critical, open source is at centre stage. Because speed is critical, any developer or CIO or CEO will say if you can do something in one second versus fifteen minutes, choose the one second option. This is why people are choosing the download from the internet option rather than the build from scratch option.
Part of the challenge for organisations using open source components is that, according to the report, open source software (OSS) projects take a mean time of 233 days to remediate a known vulnerability - and only 15.8% of OSS projects do actively fix vulnerabilities.
Weeks said:
Most open source projects are perhaps not aware of the vulnerabilities - maybe the security researchers are not able to effectively communicate their findings with the projects. Maybe there aren’t enough people that understand secure coding practices in the projects themselves in order to assess and remediate the vulnerabilities. This is conjecture on my part.
Sonatype claims that high-functioning DevOps organizations are utilizing machine automation to govern the quality of open source components flowing through their software supply chains thereby improving software hygiene.
Weeks said:
People need to be aware of what open source components they are using in their software development. Awareness changes behaviours; build a bill of materials of your software. Once you have the bill of materials you can assess what is good. This awareness needs to happen much more than it does now. If you want to understand if you are using good or bad components, the earlier this happens the better. If you are delivering this intelligence to developers they can make choices and embed secure coding practices early in the coding cycle.
We asked Weeks if there is security skills shortage. He said:
Yes and no. With every new movement in the IT industry there’s always a shortage of skills but the way the IT industry continues to evolve is by finding tools and solutions to automate these things. You can say there is an application security skills shortage or you can say I have a person manually assessing the security of an application - what if instead of having them work manually, have them automate part of that analysis or security as part of their job? That makes that person in that organisation more productive. Technology and automation is the answer to skills shortage - we innovate our way out of it.