Managed Software Supply Chain Delivers Increased Productivity and Quality
August 28, 2017

Pete Goldin
DEVOPSdigest

Organizations that are actively managing the quality of open source components flowing into production applications are realizing a 28 percent improvement in developer productivity, a 30 percent reduction in overall development costs, and a 48 percent increase in application quality, according to the 2017 State of the Software Supply Chain Report from Sonatype.

Furthermore, analysis of more than 17,000 applications reveals that applications built by teams utilizing automated governance tools reduced the percentage of defective components by 63 percent.

Conversely, organizations failing to manage software supply chains are unwittingly releasing vulnerable applications into production, wasting thousands of hours on rework and bug fixes, and facing increased liability due to gross negligence.

Additional key findings of the 2017 State of the Software Supply Chain report include:

Consumption of open source components is growing on a massive scale

■ Year-over-year downloads of Java components grew 68 percent (52 billion in 2016), JavaScript downloads grew 262 percent (59 billion in 2016), and demand for Docker components is expected to grow 100 percent (12 billion downloads).

■ Faced with a near infinite supply of open source components, high-functioning DevOps organizations are utilizing machine automation to govern the quality of open source components flowing through their software supply chains.

Open source component suppliers remain slow to fix vulnerabilities

■ Even when vulnerabilities are known, OSS projects are slow to remediate - if they do so at all. Only 15.8 percent of OSS projects actively fix vulnerabilities, and even then the mean time to remediation was 233 days.

■ This puts the onus on DevOps organizations to actively govern which OSS projects they work with, and which components they ultimately consume.

Number of downloaded components with known vulnerabilities is slightly decreasing

■ In 2016, the percent of Java components downloaded from the Central Repository that contained known security vulnerabilities fell to 5.5 percent (1 in 18), down from 6.1 percent the year prior.  

■ Although this defect download ratio is far from perfect, there is empirical evidence that hygiene is beginning to improve with ratios declining slightly in each of the last three years.

The regulatory landscape is rapidly changing

■ In the past year in the United States, the White House, four federal agencies, and the automotive industry have released new guidelines to improve the quality, safety, and security of software supply chains.


Wayne Jackson, CEO, Sonatype, said: “Companies are no longer building software applications from scratch, they are manufacturing them as fast as they can using an infinite supply of open source component parts. However, many still rely on manual and time consuming governance and security practices instead of embracing DevOps-native automation. Our research continues to show that development teams managing trusted software supply chains are dramatically improving quality and productivity.”

Methodology: The 2017 State of the Software Supply Chain Report blends a broad set of public and proprietary data with expert research and analysis. This year’s report extends beyond Java data to include supply chain findings from JavaScript, NuGet, Python, and Docker ecosystems.

The Latest

May 24, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on the top tools to support DevSecOps. Part 3 covers security and monitoring ...

May 22, 2018

DEVOPSdigest asked experts from across the IT industry for their opinions on the top tools to support DevSecOps. Part 2 covers DevOps and development ...

May 21, 2018

While DevSecOps, much like DevOps itself, is more about changing IT culture than employing certain types of technology, some tools can be an important support. To find out what the right tools are, DEVOPSdigest asked experts from across the IT industry for their opinions on the top tools to support DevSecOps. Part 1 covers the testing phase ...

May 17, 2018

The top two business priorities for CIOs of midsize enterprises (MSEs) in 2018 are growth and digital transformation. However, 57 per cent of MSEs are not yet delivering digital initiatives, according to findings from Gartner Inc.'s 2018 CIO Agenda Survey ...

May 15, 2018

Almost every company is facing the challenge of digital transformation today. This means rethinking and retooling your company to compete and succeed in an increasingly digital world. While digital transformation is not only about technology, the right tools can help. To find out what these right tools are, APMdigest asked experts from across the IT industry for their opinions on the essential tools to support digital transformation ...

May 08, 2018

With data breaches consistently being in the news over the last several years, it is no wonder why data privacy has become such a hot topic and why the European Union (EU) has put in place General Data Protection Regulation (GDPR) which will become enforceable on May 25, 2018, which is less than a month away ...

May 03, 2018

The prospect of increased workloads, combined with shrinking mainframe skillsets, has huge implications for mainframe DevOps. The only way for organizations to solve this skills gap crisis is by optimizing developer productivity. Drilling down a level further, what does this all mean for mainframe DevOps? ...

May 02, 2018

When it comes to operations and development, DevOps has changed the traditional compartmentalized style of development by eliminating silos. But what about the security team? Security is largely still siloed from operations and development. No doubt, many DevOps teams have some security controls baked into their automation processes, but a recent survey shows there are still alarming gaps ...

April 30, 2018

According to the 2018 Global Security Trends in the Cloud report, 93 percent of respondents faced challenges when deploying their current on-premises security tools in the cloud, and 97 percent lacked the tools, cross-functional collaboration and resources to gain proper insight into security across the organization. These numbers indicate a big problem in DevSecOps that needs to be addressed ...

April 26, 2018

Moving more workloads to the cloud is a top IT priority, so eventually it will be time to consider how to make those critical legacy applications cloud ready. In Part 1 of this blog, I outlined the first four of eight steps to chart your cloud journey. In addition, consider the next four steps below ...

Share this