Professional Documents
Culture Documents
State of
the
Software
Supply Chain
The 6th Annual Report on Global Open Source Software Development
⊲ They utilize a massive volume of open source ⊲ 430% growth in next generation cyber attacks
libraries actively targeting open source software projects
(Chapter 1)
The universal desire for faster innovation demands
⊲ 1.5 trillion open source component and container
efficient reuse of code, which in turn has led to a
download requests in 2020 (Chapter 2)
growing dependence on open source and third-
party software libraries. These artifacts serve as ⊲ 530x faster mean time to update dependencies
reusable building blocks, which are fed into public and 2.8x more commits for exemplary open
repositories (npm, Maven Central, PyPI, NuGet source projects (Chapter 3)
Gallery, RubyGems, etc.) where they are freely
⊲ 26x faster detection and remediation of open
borrowed by millions of developers in the pursuit
source vulnerabilities for high performance
of faster innovation. This is the definition of the
enterprise development teams (Chapter 4)
modern software supply chain.
⊲ 11% of OSS components used in applications have
Now in its sixth year, Sonatype’s State of the known vulnerabilities (Chapter 5)
Software Supply Chain Report continues to exam-
ine compelling and measurable practices of secure Once again, the report summarizes the latest
open source software development and delivery. government and industry initiatives designed to
For the second year in a row, we’ve collaborated protect software supply chains and strengthen the
with research partners Gene Kim from IT Revolution foundations of open source.
and Dr. Stephen Magill, CEO at MuseDev, to
examine how high performing enterprise software Together with our partners, we are proud to share
development teams successfully balance their this research. We hope that you find it valuable.
Open Season
on Open Source
In 2020, developers around the world will request which targeted the Copay cryptocurrency wallet in
more than 1.5 trillion open source software compo- November 2018, and the recent Octopus Scanner FIGURE 1A
nents and containers for one reason: it accelerates Malware targeting the NetBeans open source IDE Combined
CombinedReach of 100
Reach of Influential
100 Maintainers
the pace of innovation. in May 2020.2 SOURCE: MARKUS ZIMMERMANN AND CRISTIAN-ALEXANDRU STAICU, TU DARMSTADT;
Influential Maintainers
CAM TENNY, R2C; MICHAEL PRADEL, TU DARMSTADT
60%
In the past 12 months, the number of next gener- According to security researchers at the University of
ation cyber attacks aimed at actively infiltrating Bonn, SAP Labs France, and Fraunhofer FKIE, “From 52%
open source increased 430%. The attacks are an attacker’s point of view, [large scale, public inter-
45%
a uniquely efficient way for adversaries to gain net-based] package repositories represent a reliable
Reached Packages
leverage and scale by exploiting software supply and scalable malware distribution channel. Thus far, 37%
community are facing a novel and rapidly expand- be easily triggered during package installation.”3 15%
focus “upstream,” bad actors can infect a single 3. The ethos of open source is built on “shared 2011 2012 2013 2014 2015 2016 2017 2018
component, which will then be distributed “down- trust” between a global community of individu- Time
stream” using legitimate software workflows and als, which creates a fertile environment whereby
SOURCE 1A, 1B: Markus Zimmermann and Cristian-Alexandru Staicu,
update mechanisms. Two high profile examples of bad actors can prey upon good people with TU Darmstadt; Cam Tenny, r2c; Michael Pradel, TU Darmstadt
these modern upstream attacks are event-stream,1 surprising ease.
Mar-15
Aug-17
Sep-17
Oct-17
Feb-18
May-18
Jul-18
Aug-18
Oct-18
Nov-18
Dec-18
Jan-19
Mar-19
Apr-19
May-19
Jun-19
Jul-19
Aug-19
Oct-19
Nov-19
Dec-19
Feb-20
Apr-20
May-20
between 134,774 and 166,086 other packages,
making them an extremely attractive target for
attackers (FIGURE 1B).5
Exacerbating the risks even further, the Linux February 2015 to June 2019, 216 such attacks rest-client, August 2019), releasing new versions of
Foundation’s Core Infrastructure Initiative found that were recorded. Then from July 2019 to May 2020 a project to a public repository (see bootstrap-sass,
of the top 10 most-used software packages, seven an additional 929 attacks were documented April 2019) contributing pull requests to a project that
were hosted under individual developer accounts; (FIGURE 1C). include malicious code (see event-stream, November
the researchers then questioned “what happens if 2018), or tampering with open source developer tools
The most common type of attack is Typosquatting, that inject malicious code into downstream applica-
one of these accounts is hacked? Would you, farther
an indirect attack vector that preys on developers tions (see Octopus Scanner, May 2020).
down the software supply chain, even know?”6
making otherwise innocent typos when searching for
popular components. If a developer accidentally types When malicious code is deliberately and secretly
Rise of Next-Gen “lodahs” when their intention is to source “lodash,” injected upstream into open source projects, it
Software Supply Chain they might accidentally install a malicious component is highly likely that no one knows the malware is
of a similar name (see Lodahs, November 2019). there, except for the person that planted it. This
Attacks (2015-2020) approach allows adversaries to surreptitiously
Next generation cyber attacks actively targeting Another common attack is Malicious Code Injection, set traps upstream, and then carry out attacks
open source software projects have increased which is carried out through a variety of means, includ- downstream once the vulnerable code has moved
430% since we published this report last year. From ing stealing credentials from a project maintainer (see through the supply chain and into the wild.
open source packages. developers. The two libraries imitated the popular
⊲ smartsearchwp
“dateutil” and “jeIlyfish” (the first L is an I).16
Published in January 2019 and then yanked from the AUGUST 2019
npm repository in June 2020, included malicious code ⊲ 109 RubyGems JANUARY 2020
that provided a backdoor to support data exfiltration.8 Yanked from the repository for typosquatting.12 ⊲ 1337qq-js
⊲ rest-client, coming-soon, and cron_parser The malicious npm package exfiltrates sensitive
MARCH 2019
information such as hard-coded passwords or API
⊲ simple-captcha2 0.2.3 and datgrid 1.0.6 Adversaries compromised the account of a rest-cli-
access tokens through install scripts and targeting
As distributed on RubyGems.org, included a ent maintainer to install crypto miners in versions
UNIX systems only.
code-execution backdoor inserted by a third party.9 1.6.10 to 1.6.13. Affected versions were downloaded
about 1000 times. Similar vulnerabilities were found
APRIL 2019 FEBRUARY 2020
in Gem packages: coming-soon and cron_parser.13
⊲ bootstrap-sass ⊲ 381 RubyGems
Someone removed a version of the library, boot- ⊲ bb-builder Packages were yanked from the public repository
strap-sass v3.2.0.2 and immediately released a new Removed from the npm repository after it was as a result of typosquatting concerns.17
version, moments later (v3.2.0.3) with malicious discovered that it stole login information from the
APRIL 2020
code injected into it.10 computers it was installed on and sent sensitive
⊲ 362 RubyGems
information to a remote server.14
JUNE 2019 Were removed from the public repository for
⊲ 23 RubyGems packages OCTOBER 2019 typosquatting and crypto mining malware. They
Including chrome_taker, color_hacker, aloha_anal- ⊲ basic_authable include “atlas-client” (downloaded 2,100 times by
yser, get-text, ruby_nmap, get-texts, colourize, and Three versions of this Gems package released in developers).18
btc-ruby were pulled from the public repository 2017 were yanked from the Gems repository due to
their malicious nature. MAY 2020
because they contained code for crypto mining or
⊲ Octopus Scanner
cookie/password stealing.11
NOVEMBER 2019 26 open source packages were found to be
⊲ electron-native-notify (version 1.1.6) ⊲ sj-tw-test-security compromised through malicious code injection. The
An npm package contained code designed to All versions of the component contain malicious malware was designed to enumerate and backdoor
steal cryptocurrency wallet seeds and other login backdoor code that downloads and runs a script that projects through the NetBeans IDE.
npm credentials published online. PyPI typosquat: “I’m harvesting Deleted go-bindata account npm credentials Back-doored npm package
Affects access to 14% of the npm repo (79K packages). 10 malicious Python credit card numbers resurrected by an unknown user. intentionally compromised. discovered.
packages found. and passwords After a developer deleted their GitHub A malicious version of a npm security team responds
Malicious npm packaged typosquated. Evidence of the fake from your site. account, someone immediately grabbed the package from a core to reports of a malicious back
40 packages harvested over two weeks, collecting packages being Here’s how.” ID — inheriting the karma instilled in that ID contributor to the conventional- door in the get-cookies
credentials used to publish to the npm repository itself. incorporated into David Gilbertson and calling into question packages & sources. changelog ecosystem is module, published in March.
software was noted writes a fictional tale published. The package was Despite being deprecated,
docker123321 images created on Docker Hub. Back-doored PyPI package discovered.
multiple times on his blog about installed 28,000 times in 35 mailparser still receives about
Later accused of poisoning a Kubernetes honeypot Python module ssh-decorator back-doored
between June and creating a malicious hours and executed a Monero 64,000 weekly downloads.
(01/18) and equated to a crypto-mining botnet (05/18). to enable theft of private ssh keys.
Sept 2017. npm package. crypto miner.
CHAPTER 1: OPEN SEASON ON OPEN SOURCE
Linux distro hacked Compromised Homebrew Back-doored Gems Back-doored Gems Cryptocurrency attack via malicious code injection. PyPI package discovered
on GitHub. JavaScript package repository bootstrap-sass RCE bootstrap-sass RCE Malicious code targets users of Agama cryptocurrency wallets with a back-door
Unknown individuals caught stealing npm compromised. package discovered. package discovered. focusing on stealing the wallet seeds and login passphrases. vulnerability.
gain control of the credentials. Accessed in A malicious version of A malicious version The package had been
passgen
Github Gentoo A hacker gains access under 30 minutes the popular of the popular reported as containing a
A RubyGems package discovered that contains a backdoor in its
organization and to a developer’s npm through an bootstrap-sass package, bootstrap-sass package, known vulnerability but was
latest release that was used for cookie stealing.
modified the content account and injects exposed GitHub downloaded a total of downloaded a total of not removed from the
of repositories as well malicious code into a API token. 28 million times to date, 28 million times to date, 23 RubyGems packages pulled from the public repository. public repository.
as pages within. All popular JavaScript and with 1.6K and with 1.6K Packages were pulled from the public repository because they
code considered library called eslint- dependencies, is dependencies, is contained code for cryptomining or cookie/password stealing. 230 RubyGems pulled
compromised. scope, a sub-module of published to the published to the for typosquatting or
Code for cryptocurrency theft identified in npm package.
the more famous ESLint, RubyGems repository. RubyGems repository. impersonating popular
Electron-native-notify (versions 1.1.6) contains code designed to
a JavaScript code open source packages.
steal cryptocurrency wallet seeds and other login instruction
analysis toolkit.
details.
Adversaries compromised basic_authable sj-tw-test-security Python3-dateutil 1337qq-js Hundreds of atlas-client Octopus Scanner
the account of a rest-client Three versions of this All versions of the component and jeIlyfish The malicious npm RubyGems 400 gems were 26 open source
maintainer to install Gems package “contain malicious back-door code Two trojanized package exfiltrates packages yanked removed from the packages were found
crypto miners. released in 2017 that downloads and runs a script that Python libraries sensitive information from the public public repository for to be compromised
Affected versions (1.6.10 to 1.6.13) were yanked from opens a reverse shell in the system were caught such as hard-coded repository as a typosquatting and crypto through malicious code
were downloaded about 1000 the Gems repository allowing a remote attacker to stealing SSH and passwords or API result of mining malware. They injection. The malware
times. Similar vulnerabilities were due to their malicious compromise the affected system. GPG keys from the access tokens through typosquatting include “atlas-client” was designed to
found in Gem packages: nature. projects or infected install scripts and concerns. (downloaded 2,100 enumerate and back
coming-soon and cron_parser. lodahs, web3b, and web3-eht developers. targets UNIX systems times by developers). door NetBeans projects
Taking advantage of a typosquatting only. through the NetBeans
bb-builder removed from the exploit for lodash npm packages, all IDE.
npm repository. versions of the “lodahs” package
The component stole login contain malware designed to find and
information from the computers exfiltrate cryptocurrency wallets.
it was installed on, sending it to Web3b and web3-eht were removed
a remote server. for the same exploit pattern.
2020 STATE OF THE SOFTWARE SUPPLY CHAIN REPORT 9
Speed Remains Critical When FIGURE 1E
Responding to Legacy Software Time to Remediate Known OSS Vulnerabilities After Detection
Time to Remediate Known OSS Vulnerabilities After Detection
Supply Chain Attacks
While bad actors are increasingly shifting their 35%
attention upstream, it is critical to understand and 51%
manage the software supply chain threats that remediate
26%
remain prominent downstream. Specifically, organi- between 1 week
zations must establish a “rapid upgrade posture” so and never.
they can respond quickly to new zero-day disclo- 17%
sures by finding and fixing vulnerable open source
12%
dependencies in production applications.
CHAPTER 1: OPEN SEASON ON OPEN SOURCE
Exploits Begin
Coordinated Disclosure Update Before Exploits Begin Exploits Continue and Sites Remain Vulnerable
Within 3 Days
Open Source:
Supply and Demand
22.5B
20B
BILLIONS
JavaScript JavaScript
FIGURE 2A
Package Downloads,
JavaScript Package Downloads, 17.5B
One trillion JavaScript packages Rolling Weekly Average 2013 – 2020
Rolling Weekly Average 2013 – 2020
SOURCE: MICROSOFT
will be downloaded in 2020 based
SOURCE: Microsoft
on monthly download volumes
today. With over 86 billion package 15B
downloads in May 2020, the
CHAPTER 2: OPEN SOURCE: SUPPLY AND DEMAND
2.5B
0
2013 2014 2015 2016 2017 2018 2019 2020
(to date)
2018
2018
2017
2017
Number of Download Requests for
2016
Number of Download
Java Component Requests
Releases for – 2020
2012
2016 FIGURE 2B Java Component Releases 2012 – 2020
CHAPTER 2: OPEN SOURCE: SUPPLY AND DEMAND
2015 Number of Download Requests for J ava Component Releases 2012 – 2020
2015
2014
2014
2013
2013
2012
2012
Identifying Exemplary
Open Source Suppliers
Researching the Best FIGURE 3A
Laggards
The teams in the bottom 20% in MTTU and stale Exemplary OSS3B
FIGURE Projects
dependencies are the furthest behind in terms of Differentiate Through
Exemplary OSS Projects
update hygiene. These teams release infrequently Seven Performance
CHAPTER 3: IDENTIFYING EXEMPLARY OPEN SOURCE SUPPLIERS
70%
TTU median:
60% 130 days
CHAPTER 3: IDENTIFYING EXEMPLARY OPEN SOURCE SUPPLIERS
TTR mean:
50% 326 days
40%
TTR median:
30% 180 days
20%
10%
FASTER SLOWER
Days to Update
select dependencies with fast MTTU because such metric when deciding which components to utilize
components naturally exhibit better security hygiene. within your software supply chains. Rapid MTTU is suppliers and rely upon
associated with lower security risk and is accessible
To progress comfortably into the status of
Exemplar (top 80% of Exemplars), teams should
from public sources. formalized procurement
aim for a minimum of four releases annually and Just as traditional manufacturing supply chains practices — enterprise
development teams
aim to upgrade at least 80% of their dependen- intentionally select parts from approved suppliers
cies with every release. A higher frequency of and rely upon formalized procurement practices
dependency updates statistically results in higher
quality and more secure code.
— enterprise development teams should adopt should adopt similar
similar criteria for their selection of OSS compo-
nents. This practice ensures the highest quality parts criteria for their selection
Guidance for Enterprise are selected from the best and fewest suppliers
— a practice Deming recommended for decades.
of OSS components.
Development Teams Implementing selection criteria and update practices
Enterprise development teams working with will not only improve code quality, but can accelerate
software supply chains often rely on an unchecked mean time to repair when suppliers discover new
variety of supply from OSS projects where each defects or vulnerabilities. Chapter 4 will further
developer or development team can make their own explore the impact of OSS component selection on
sourcing and procurement decisions. The effort of overall application quality. ■
11%
CHAPTER 4: HOW HIGH PERFORMANCE TEAMS MANAGE OPEN SOURCE SOFTWARE SUPPLY CHAIN
Healthcare 4% Government
group effects.
Insurance 4%
We believe the results we found can help organi-
zations evaluate their approaches to using open
source components and improve the performance
and security of their software delivery practices.
companies with more than 5,000 developers. 63%
of respondents were individual contributors or team
Analyzing the performance
Survey of Open Source
Management Practices
leads, while 37% were managers, VPs, or execu- and security of open
tives. Participants achieved a 75% completion rate,
We created a survey with 41 questions, exploring defined as respondents that answered all of the source component-based
ten areas of software outcomes (dependent vari-
ables), and twenty-four areas of software practices,
questions that fed into our statistical data analysis.
software development
tooling, organization, policies, etc. (independent Cluster Analysis and Findings is made easier because,
variables).
similar to manufacturing
To identify cohorts with similar reported outcomes,
and identify high and low performers, we used
We obtained responses from 679 individuals
across a wide variety of industry verticals, including
a cluster analysis.27 We found four clusters with
markedly different levels of performance, with
supply chains, the
Banking, Retail, Healthcare, and Government (SEE
FIGURE 4A). Organizations of all sizes were repre-
different patterns of practices, and with almost all inventory is visible.
factors being statistically different. We labeled them
sented, ranging from 10-developer organizations to
as follows:
⊲ Productivity First: high productivity, poor risk than the Productivity First cluster. As seen in FIGURE
demonstrate superior risk management outcomes
management outcomes (N=103) 4B, the High Performers are tightly clustered in the
while maintaining high levels of productivity. The
upper right quadrant, while the Productivity First
We can quickly see the different characteristics of Low Performers cluster (red, lower left) identifies
group is more distributed across the bottom left-
the four clusters by projecting them onto a quad- the opposite pattern: demonstrating substandard
and right-quadrants.
rant — on one axis are all the productivity-related risk management outcomes and low levels of
FIGURE 4B
Measuring Risk Management vs. Productivity Outcomes
Measuring Risk Management vs. Productivity Outcomes
2
RISK MANAGEMENT OUTCOMES
−1
−2
−3
−5
−4 −3 −2 −1 0 1 2 3 4
That some tooling CONFIRMED. ⊲ We asked a series of questions about what criteria were important when selecting new OSS
to do centralized Listed below are the top factors associated with high security components, which is about being careful and particular about functionality, integrations,
scanning of depen- confidence: ease of use, security, etc.
dencies and an ⊲ Having a clear process for adding and removing dependencies ⊲ The primary contributing factors all have to do with controlling what components are brought
effective approval into the supply chain. The two next most important factors both had to do with monitoring to
⊲ When selecting new OSS components, the two following factors
process would enforce those policies:
are considered important:
predict confidence ɡ The output of software composition analysis (SCA) tools is integrated into daily develop-
ɡ Security history (e.g. have there been multiple high-risk CVEs)
in OSS security. ment workflows.
ɡ Rate of fixes (frequency of security and bug fixes) ɡ Every deployed application is centrally tracked, including its open source dependencies,
⊲ Scheduling updating open source dependencies as part of our and it is known who the application team leader is. This practice is critical to building and
daily work maintaining SBOMs for each application.
Practices associated with effec- CONFIRMED. ⊲ We found it interesting that all these factors relate to
tive governance (e.g., processes Listed below are the top factors associated with increased confidence in OSS license process, not technology.
defined, tools to monitor compli- compliance. ⊲ We were surprised that the degree of centralized
ance, responsibilities assigned, ⊲ Having a clear process for adding and removing dependencies governance was not associated with increased
etc.) would increase confidence performance — this likely indicates that there are
⊲ Consistently following open source approval processes
in OSS license compliance. many organizational approaches to effectively solve
⊲ Prioritizing licensing considerations when selecting new open source components compliance problems.
⊲ Scheduling updating open source dependencies as part of our daily work
Organizations that take a more active NOT SUPPORTED. ⊲ We found that High Performers were more likely to maintain internal forks of open source projects. Upon reflec-
role in open source development will tion, we believe this is because internal versions are required to make changes and develop new features, even
maintain fewer internal forks of open when these are being regularly contributed back. In a future survey, we will ask about long-lived internal forks
source projects. that diverge from the original repository in order to better capture the distinction between forking to contribute
back (generally good) and forking to avoid keeping up-to-date (generally bad).
Measured various aspects of work including organizational support, level of fit between skills and tasks, and ability to complete work.
High Performers would not only have better CONFIRMED. ⊲ We found a surprisingly high correlation approaching the levels we saw with
security and higher productivity, but also security-related outcomes. The top factors were:
higher job satisfaction; we didn’t hypothesize ɡ How well an open source risk management initiative was resourced and supported
about any specific factors, but we were curious
ɡ When test suites were used — and tests passed — there was higher confidence that
about what factors were associated with high the application would operate as intended in production.
job satisfaction.
ɡ Where application deployments (including configurations) were fully automated
ɡ Where agile or DevOps development practices were in place
ɡ When OSS Enlightenment (defined above) was present
Interestingly, the most predictive question of Guidance for Enterprise High Performer results are achieved not by
job satisfaction was “How is your current open implementing a single tool or practice, but
source risk management initiative resourced and Development Teams through a combination of culture, development
supported?” This was the most detailed question we Our research shows that faster innovation and practices, policy enforcement, automation, and
asked regarding general organizational support and better risk management are not mutually exclu- integrations applied across the development
included sub-questions about executive support, sive. Indeed, High Performance engineering teams lifecycle. Furthermore, High Performers are not
budget, tooling, and documentation. We suspect are accelerating velocity while simultaneously only rewarded with increased productivity and
that this relationship is highlighting a connection reducing security and licensing risks. better security (SEE FIGURE 4D), but their employees
between level of employee support and job satisfac- demonstrate high levels of job satisfaction.
tion rather than an effect specific to support of open Our investigation into measures of high performance
source risk management initiatives. In future surveys component-based software development and deliv- Security First teams desiring to transform
we will ask more general “organizational support” ery helped us confirm four overarching, compelling themselves into High Performers would benefit
questions to evaluate this hypothesis. and predictable criteria: time to update depen- from automating their approval, management and
dencies, deployment frequency, time required analysis of open source components. They should
The usage of Agile or DevOps practices, as well for developers to be productive when switching also consider integrating developer friendly SCA
as automated deployments and their impact on teams, and time to detect and remediate defective tools into their CI process so they can automatically
job satisfaction are very similar to the early results components. Teams striving for productivity and risk scan build artifacts, easily identify open source
from the State of DevOps Research (cite: Dr. Nicole management outcomes that improve management security and licensing risk, and benefit from a
Forsgren, Jez Humble, Gene Kim, 2015 Puppet of their software supply chains and delivery practices SBOM for all applications.
Labs State of DevOps Report.31 should track performance of these criteria.
Productivity First teams wanting to shift up into Patterns Across OSS An astonishing story of how far an organization can
the High Performer quadrant should prioritize stray from ideal update practices comes from Eileen
partnering with governance counterparts to Component Updates: Easy, M. Uchitelle, Staff Engineer at GitHub, who described
integrate automated security scanning into their CI Difficult, and Planned how it took seven years to successfully migrate
process so they can easily add and remove OSS Over the years, we’ve become increasingly convinced GitHub from a forked version of Rails 2 to Rails 5.32
dependencies and regularly remediate known OSS that while updating dependencies is very important Even with new tools available to developers that
vulnerabilities. for functionality and security, there is a huge economic automatically create pull requests with updated
cost to staying up-to-date. Ideally, dependencies dependencies, changes in APIs and potential
should be updated, simply, safely and painlessly, and breakage can still hold back many developers from
as part of the routine development process. But reality updating. We suspect this change-induced break-
shows that this ideal is rarely met. age is a primary driver of poor updating practices.
allowing for easier and more frequent updates. On the opposite extreme, consider the graph for the and cost required to stay up-to-date. We believe
hibernate-validator library (FIGURE 4F), where there that this could reveal lessons and principles that
The following graphs show the different stories are two sets of communities using it — one favoring could help every organization using open source
around OSS update patterns by software develop- version 5 and another preferring version 6. The two software components.
ment teams. Updates from one version of a library communities very rarely intersect. This suggests that
to another are visually depicted by connecting updating to version 6 from version 5 is either too Now that we have explored practices and related
the two versions with an arc. The horizontal axis is difficult, or the value is not worth the effort. outcomes that contribute to successful software
an ordered list of library releases, where version supply chain management, let’s take a closer look
numbers increase as you move right. Finally, we take a look at the pattern for spring- at the volume, quality, and security of open source
core (FIGURE 4G), which suggests that updating is component consumption in the enterprise. ■
FIGURE 4E
joda-time.joda-time
joda-time.joda-time library library
Poor Migrations -> Good Migrations (by application count)
Poor Migrations -> Good Migrations (by application count)
50+ 40 50+ 40 10
30 20 30 20 10
0 10 0 30
20 10 20 30 40 50+
40 50+
50+ 40 30 20 10 0 10 20 30 40 50+
FIGURE 4F
hibernate-validator library
Poor Migrations -> Good Migrations (by application count)
50+ 40 30 20 10 0 10 20 30 40 50+
CHAPTER 4: HOW HIGH PERFORMANCE TEAMS MANAGE OPEN SOURCE SOFTWARE SUPPLY CHAIN
50+ 40
FIGURE 4G 30 20 10 0 10 20 30 40 50+
spring.spring-core library
Poor Migrations -> Good Migrations (by application count)
50+ 40 30 20 10 0 10 20 30 40 50+
Choosing open source projects should be considered OSS Project OSS Project
CHAPTER 5: THE TRUST AND INTEGRITY OF SOFTWARE SUPPLY CHAINS
1 in 10 OSS Downloads
from these internet-based code warehouses in order Furthermore, research from the University of
Are Vulnerable to build their applications. Darmstadt published in August 2019 revealed that
To better understand how defective and known vul- nearly 40% of all npm packages rely on code with
nerable component releases flow through software For the past seven years Sonatype has analyzed known vulnerabilities. Perhaps even more con-
supply chains, we first have to look at public open the patterns and practices associated with Java cerning is that 66% of security vulnerabilities in npm
source repositories (e.g., Maven Central, npmjs. components being downloaded from The Central packages remain unpatched, leaving developers
org, RubyGems.org, NuGet Gallery). Developers Repository (FIGURE 5B). In 2019, 10.4% of the billions who want to use secure packages with no safe
download free open source component releases of downloads had at least one known vulnerability.’ alternatives.34
11% of those
are known to Average OSS disclosed by development teams.
be vulnerable.
Average OSS disclosed by audit teams for the same projects.
626
90%
of components
560
590
CHAPTER 5: THE TRUST AND INTEGRITY OF SOFTWARE SUPPLY CHAINS
in an application 454
are open source.
236 252
221
25 25 29 27 17 29
8
Enterprises Rely on Code Further analysis of downloads from those organiza- OSS Components Make Up
tions reveals that 30,862 (8.3%) included at least
From 3,500 Suppliers, one known security vulnerability. Just as well, not 90% of a Modern Application
But Quality Varies all security vulnerabilities are created equal. Of the Just because a developer downloaded a compo-
Developers build applications with someone else’s 30,862 vulnerable downloads, 68% had Common nent does not mean that it was used in an applica-
code. Our study of 15,000 enterprise software Vulnerability Scoring System (CVSS) at 7.0 or above tion. To better understand how many open source
development organizations revealed an average on a 10 point scale. Thirty percent (30%) had CVSS components were used by developers, we inves-
of 373,000 open source component downloads scores above 9.0 on a 10 point scale. Minor fluctu- tigated and analyzed 1,700 applications for this
annually. The downloads represent an average ations in the percentage of vulnerable downloads year’s report. We found that development teams
of 3,552 OSS projects — the external supplier were seen on a country by country basis: United use an average of 135 software components of
network for code serving modern enterprise States (8.6%), France (8.3%), United Kingdom (8.6%), which 90% are open source. It was not uncommon
development. These downloads represent 11,294 and Germany (7.81%). to see applications assembled from 2,000 – 4,000
component releases from those projects. OSS component releases.
21% of Enterprises Experienced 2017 Survey 2018 Survey 2019 Survey 2020 Survey
Open Source Breaches
According to the X-Force Threat Intelligence Index
attacks on known vulnerabilities increased to 30% in
2019, up from 8% the previous year.36 Development
teams relying on open source components that
sometimes contain known vulnerabilities were not
immune to these attacks. The 2020 DevSecOps
Community Survey of over 5,000 development
professionals revealed that 21% had experienced
an open source component related breach in the
past 12 months (FIGURE 5E). ■
application, middleware, firmware or operating other artifacts on GitHub aimed to fulfill the needs
system. The specification maintains that an SBOM of cyber security command and control in a stan-
is needed to support the systematic review and dardized manner. Among them, the Department of
approval of each component’s license terms to Defense comply-to-connect use case defined an
understand the obligations and restrictions as it early step of querying the new device requesting
applies to the distribution of software.39 its “Software Bill of Materials” and comparing it to
policy as part of an acceptance process.42
In July 2019, Sen. Mike
CYBERSECURITY & INFRASTRUCTURE Crapo (R-ID) and Sen. Mark
SECURITY AGENCY NATIONAL TELECOMMUNICATIONS AND
In May 2019, CISA’s Supply Chain Risk Management INFORMATION ADMINISTRATION Warner (D-VA) introduced a
bill explaining that software
(SCRM) published a guide for detailing actionable Over the past year, the National
steps on how to start securing software supply Telecommunications and Information
chains. Steps recommended building a list of the Administration (NTIA) continued its pursuit to
establish the definition formats and standards for
supply chains have proven
software components organizations procured,
mapping supply chains to better understand what a Software Bill of Materials (SBOM). This multi- to be major means through
which adversaries seek
components were being procured, determining year, non-partisan initiative aims to define SBOM
how organizations would assess the security concepts and related terms, offers a baseline of
culture of suppliers, and establishing systems
for checking supply chain practices against
how software components are to be represented,
and discusses the processes around SBOM cre-
gain access to weapons
guidelines.40 ation. The initiative has also detailed the benefits systems, IT systems,
and communications
of building and managing SBOMs from the per-
U.S. CONGRESS spective of those who make software, those who
In July 2019, Sen. Mike Crapo (R-ID) and Sen. Mark
Warner (D-VA) introduced a bill explaining that
choose or buy software, and those who operate
it — characterizing security, quality, efficiency, and
technology platforms.
software supply chains have proven to be major other organizational benefits.
means through which adversaries seek gain access
to weapons systems, IT systems, and communica- FOOD AND DRUG ADMINISTRATION
tions technology platforms. While not signed into Working hand in hand with the U.S. Food and
law, the bill had called for “stronger effort should Drug Administration (FDA), the NTIA produced a
be placed on securing the vast supply chains of report documenting the successful execution and
the contractors responsible for developing and lessons learned of a proof-of-concept exercise
producing the defense related capabilities of the led by medical device manufacturers (MDMs) and
United States.”41 healthcare delivery organizations (HDOs). The
exercise examined the feasibility of SBOMs being
generated by MDMs and used by HDOs as part of
In December 2019, the NDAA — now signed into of its components (e.g., code, package files, OSS
law, called for the U.S. Secretary of Defense to and third-party libraries, documentation), and
establish pathways for the efficient and effective release integrity verification information.
acquisition, development, integration, and timely ⊲ See if there are publicly known vulnerabilities in
delivery of secure software. The Act included the OSS software components and services that
the requirement for software security testing that the vendor has not yet fixed.
includes vulnerability scanning and also asks for
the establishment of DevSecOps practices inside ⊲ Ensure each software component is still actively New guidance released
the Department of Defense. maintained, which should include new vulnerabil-
ities found in the software being remediated.
by the Centre advised
Section 800 of the Act required “assurances that
⊲ Determine a plan of action for each third party
that “third party coding
frameworks and libraries
cybersecurity metrics of the software to be acquired
and OSS software component that is no longer
or developed, such as metrics relating to the density
being maintained or available in the future.
of vulnerabilities within the code of such software,
the time from vulnerability identification to patch ⊲ Use the results of commercial services for vetting
also need to be considered
availability, the existence of common weaknesses OSS software components. in the same light as the
code you author. If third
within such code, and other cybersecurity metrics
⊲ Establish an organization-wide software
based on widely-recognized standards and industry
repository to host sanctioned and vetted OSS
best practices, are generated and made available to
the Department of Defense and the congressional
components. party components are
defense committees.”44 ⊲ Maintain a list of organization-approved commer- themselves vulnerable,
cial OSS components and component versions.
NATIONAL INSTITUTE OF
⊲ Have a security response playbook to handle a
this is likely to also
impact your system.”
STANDARDS AND TECHNOLOGY
generic reported vulnerability, a report of zero-
In April 2020, NIST released new standards for
days, a vulnerability being exploited in the wild,
improving software security aimed at helping
and a major ongoing incident involving multiple
“software producers reduce the number of
parties.46
vulnerabilities in released software, mitigate the
potential impact of the exploitation of undetected
or unaddressed vulnerabilities, and address the
United Kingdom
root causes of vulnerabilities to prevent future THE NATIONAL CYBER SECURITY
CENTRE: SECURE DEVELOPMENT
recurrences.”45
AND DEPLOYMENT GUIDANCE
NIST’s Secure Software Development Framework The Centre recognized that software development
offers several practices to improve the management practices are becoming increasingly automated
of open source software supply chains, including: and reliant on open source and third party
STRATEGY
also impact your system.”47
Patch Security vulnerabilities in Security vulnerabilities in Security vulnerabilities in
In an effort to help development teams evaluate applications applications and drivers applications and drivers applications and drivers
their OSS components and reduce security risk, the assessed as extreme risk assessed as extreme risk assessed as extreme risk
are patched, updated are patched, updated or mit- are patched, updated or
Centre provided the following eight questions:
or mitigated within one igated within two weeks of mitigated within 48 hours of
⊲ If there is a security vulnerability in the third party month of the security the security vulnerabilities the security vulnerabilities
components of your code, what security impact vulnerabilities being being identified by vendors, being identified by vendors,
identified by vendors, independent third parties, independent third parties,
may this have on your system?
independent third parties, system managers or users. system managers or users.
⊲ Is the dependency actively developed and system managers or Applications that are no lon- An automated mechanism is
maintained? users. ger supported by vendors used to confirm and record
Applications that are with patches or updates for that deployed application
⊲ If a vulnerability is found in one of your depen- no longer supported by security vulnerabilities are and driver patches or
dencies, would you know? Who would fix it? vendors with patches or updated or replaced with updates have been
updates for security vul- vendor-supported versions. installed, applied success-
⊲ Are you using any old versions of third party code nerabilities are updated or fully and remain in place.
known to contain security vulnerabilities? replaced with vendor-sup- Applications that are no
ported versions. longer supported by vendors
⊲ Do you know anything about the author and
with patches or updates for
maintainer of the dependency? How do they security vulnerabilities are
view and approach security? updated or replaced with
vendor-supported versions.
⊲ Does the dependency have any history of
security vulnerabilities? What’s important here is
not necessarily that issues are discovered, but
how they are handled. within 48 hours at the highest maturity level, while
Australia
⊲ If third party code is dynamically included into This year, the Australian Cyber Security Centre also recommending automated tooling to track
your product during the build or deployment (ACSC) has developed prioritised mitigation strat- where and when cybersecurity updates had been
process, can you ensure that it can’t be mali- egies to help organizations mitigate cyber security performed.49 ■
ciously modified? You could achieve this by incidents caused by various threats (SEE FIGURE 6A).
verifying its origin and integrity, for example. The Centre defined mitigation strategies that could
⊲ If the third party dependency you are using is be applied along three maturity levels. For updating
configurable, consider disabling or removing third party libraries and patching applications,
unneeded functionality which may widen the the guidance recommended mitigating actions
attack surface of your product.48 within a month at the lowest maturity level and
For more information, please visit Sonatype.com, or connect with us on Facebook, Twitter, or LinkedIn.