Software supply chain report: UK businesses use vulnerable components

A State of the Software Supply Chain report has revealed the endemic use of vulnerable components by UK businesses, with the average UK enterprise having downloaded 21,000 components with a known security flaw.

Enterprise software company, Sonatype, have led a study of 12,000 enterprise development companies identifying new secure coding best-practices based on comprehensive industry data.

The report reveals increasing use of faulty components, such as those responsible for attacks on Equifax, Apple and seven others, and which averaged 2.1 million downloads per month.

The findings show that of the average 248,000 open source components downloaded by British business in 2018, 8.8% have a known security flaw.  Of these vulnerabilities, a huge 30% – some 6300 – are deemed to be critical, posing a serious risk to the security of software.

These findings are evidence of a worrying trend of vulnerable components being built into applications, with 1 in 10 open source components downloaded in 2018 containing a known security vulnerability.

51% of JavaScript package downloads also had a known flaw, demonstrating the scale of the challenge facing organisations.

The report also examined the volume of companies using the flawed Struts component responsible for the Equifax attack – as well as attacks on at least eight other major institutions –  and revealed that downloads increased by 11% in the year following the breach, averaging 2.1 million per month.

But, against this threat landscape, there remains clear optimism with the report identifying breakthrough coding practices which are proven to significantly mitigate threats. The findings also revealed a slight decrease in vulnerable downloads from 1 in 8 in 2017 to 1 in 10 last year, as businesses improve software supply chain management.

Most strikingly, the report discovered that developers using the most current versions of open source component dependencies will dramatically reduce their cybersecurity risk. This research also revealed five behaviour groups that characterise significant differences in approach to open source software development and cybersecurity hygiene.

Furthermore, analysis showed that open source project popularity did have a strong correlation to cybersecurity hygiene and that use of continuous integration tools did not correlate with a higher frequency of security updates.

This year’s report details the exponential growth in the supply of and demand for open source components by developers, but also reveals sobering statistics about open source consumption that goes unchecked.

Adversaries are increasingly targeting open source components: 71% increase in open source related breaches over the past five years; 24% of organisations confirmed or suspected an OSS related breach; 15 events highlighting a new attack pattern for malicious code injection within open source software supply chains.

Wayne Jackson, CEO of Sonatype, said: “We have long advised businesses that they should rely on the fewest open source components suppliers with the best track records in order to develop the highest quality and lowest risk software.

“For organisations who tame their software supply chains through better supplier choices, component selection, and use of automation, the rewards revealed in this year’s report are impressive. Use of known vulnerable component releases were reduced by 55%.”

About the State of the Software Supply Chain Report:

The 2019 State of the Software Supply Chain Report blends a broad set of public and proprietary data with expert research and analysis to identify exemplary software development practices. This year’s report was produced in collaboration with Gene Kim of IT Revolution and Dr. Stephen Magill of Galois and CEO of MuseDev. Findings in the report stem from analysis of 36,000 open source project teams, 3.7 million open source releases, 12,000 commercial engineering teams and two surveys, with a combined participation of over 6,200 development professionals.