Join top executives in San Francisco on July 11-12, to hear how leaders are integrating and optimizing AI investments for success. Learn More

As the industry’s reliance on open-source software has increased, so has the number of known software supply chain attacks, with a 742% increase over the last three years, according to Sonatype’s eighth annual State of the Software Supply Chain Report. 1.2 billion vulnerable dependencies are downloaded each month, according to the report. Of these, 96% had a non-vulnerable option available. Consumer behavior, not open-source maintainers, are often cited in public discussions as the cause. 

One reason behind this trend is the increase and evolution of software supply chain attacks. The report reveals a 633% year-over-year increase in malicious attacks aimed at open source in public repositories – and an average 742% yearly increase in software supply chain attacks since 2019. 

Image source: Sonatype.

While cybercriminals are nothing new, the frequency, severity and sophistication of these malicious attacks are becoming a major issue plaguing developers and organizations around the world. Developers are being asked to maintain a working knowledge of software quality, multiple open-source ecosystems, fluctuating regulations and almost 1,500 dependency changes per year, per application – all in the face of continually-evolving attacks. 

So what can be done? Minimizing dependencies and maintaining low update times are critical factors for reducing the risk of transitive vulnerabilities — the most common source of security risk. 


Transform 2023

Join us in San Francisco on July 11-12, where top executives will share how they have integrated and optimized AI investments for success and avoided common pitfalls.


Register Now

Curbing vulnerabilities is about more than the security of projects, though: it affects job satisfaction, too. In a survey of engineering professionals, individuals from organizations with higher levels of software supply chain maturity were 2.7 times more likely to strongly agree with the statement, “I am satisfied with my job.” 

Interestingly, there’s a clear disconnect between security measures taking place and what people in IT think is happening. Sixty-eight percent of respondents were confident their applications are not using vulnerable libraries. However, in a random scan of enterprise applications, 68% had known vulnerabilities in their open-source software components.

IT managers were 2.4 times more likely than respondents working in information security to strongly agree with “We address remediation of security issues as a regular part of development work.” 

To innovate faster and grow at scale, organizations need to make it as easy as possible for developers to create secure, maintainable software, which includes giving them smarter tools that provide more visibility into their systems and automate their processes. 

Sonatype’s eighth annual State of the Software Supply Chain Report blends a broad set of public and proprietary data and analysis, including 131 billion Maven Central downloads, survey results from 662 engineering professionals, and the assessment of 85,000 enterprise applications. 

Read the full report from Sonatype.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.