"Consumer Behaviors Are the Root of Open Source Risk"

Sonatype has released its eighth annual State of the Software Supply Chain Report, which discovered that, in addition to a massive increase in open-source supply, demand, and malicious attacks, 96 percent of open-source Java downloads with known vulnerabilities could have been avoided since a better version had been available, but were ignored. According to the report, 1.2 billion known vulnerable dependencies that could be avoided are downloaded each month, pointing to non-optimal consumption habits as the source of open-source risk. Public debate often associates security risk with open-source maintainers. According to the report, open-source maintainers are, on average, efficient at delivering bug fixes. This finding emphasizes the importance of continuing education on open-source risk and embracing intelligent automation to support their efforts. According to Brian Fox, CTO of Sonatype, the overwhelming wave of dependency intelligence developers must interpret in their daily development process is at odds with prioritizing good software quality. Despite the continued focus on 'fixing open-source,' the data shows that open-source consumers can make immediate changes that will significantly impact their ability to remediate and respond to the next event. Attacks on the software supply chain have increased in frequency and complexity as more open-source is consumed. This year's research reveals that malicious attacks on open-source in public repositories increased by 633 percent year over year, resulting in a 742 percent average yearly increase in software supply chain attacks since 2019. This article continues to discuss key findings and points shared in Sonatype's State of the Software Supply Chain Report.

Help Net Security reports "Consumer Behaviors Are the Root of Open Source Risk"