DEVOPSdigest

The explosion of open source software consumption, combined with the increasing backlog of critical vulnerabilities and the rise of outside threats, paints an alarming picture of the current state of software supply chain security. Sonatype's State of the Software Supply Chain Report highlights the biggest issues plaguing development teams, revealing how cyber attacks are evolving and emphasizing the need for better defense.

The Current Software Supply Chain Security Landscape

Open source is experiencing a time of unprecedented growth, with an estimated 6.6 trillion downloads of open source packages at the end of 2024. However, this surge in consumption also brings a host of new threats. With open source accounting for up to 90% of modern software applications, the software supply chain has become a primary target for bad actors. For example, at the same time the JavaScript ecosystem has experienced a 70% year-over-year increase in requests, it has also seen a 156% year-over-year increase in malicious packages — totaling more than 512,847 in the past year alone.

This is just one example of the urgent need for greater risk mitigation within software development. The problem contributing to this persistent risk is two-fold. First, there is a lack of discipline in selecting and managing open source components. Despite updated versions available for over 99% of packages, 80% of application dependencies remain un-upgraded for over a year. On top of that, when vulnerable components are consumed, a fixed version already exists 95% of the time. Second, traditional scanning tools and endpoint security products cannot detect new open source malware, meaning DevOps teams often aren't even aware they're at risk until malware is already present in their build environments.

As threats continue to increase, organizations must mitigate them proactively. This starts with developers adopting a "security-first" mindset, one that prioritizes responsible dependency management, leverages advanced tools and focuses on earlier intervention. Doing so is the only way to minimize risk before it's too late.

The Need For Proactive Dependency Management

Organizations must prioritize proactive dependency management, high-quality component selection and vigilance against vulnerabilities to mitigate escalating risks. A Software Bill of Materials (SBOM) is an essential tool in this approach, as it offers a comprehensive inventory of all software components, enabling organizations to quickly identify and address vulnerabilities across their dependencies. In fact, projects that implement an SBOM to manage open source software dependencies demonstrate a 264-day reduction in the time taken to fix vulnerabilities compared to those that do not. SBOMs provide a comprehensive list of every component within the software, enabling quicker response times to threats and bolstering overall security.

However, despite the rise in SBOM usage, it is not keeping pace with the influx of new components being created, highlighting the need for enhanced automation, tooling and support for open source maintainers. In the past year, 60,813 SBOMs were published while 6,971,092 new components were created within the same timeframe, which demonstrates the critical gap in software transparency that exacerbates risks from unmanaged dependencies and persistent vulnerabilities.

This complacency — characterized by a false sense of security — accumulates risks that threaten the integrity of software supply chains. The rise of open source malware further complicates the landscape, as attackers exploit poor dependency management. Recent malicious npm packages, for example, concealed macOS malware in travis.yml files, deploying binaries disguised as legitimate updates. These incidents show how attackers use public repositories to infiltrate development environments. To secure their environments effectively, software manufacturers must adopt rigorous practices and advanced tooling.

Best Practices for Reliable Dependency Management

Despite the increasing challenges, there is a light at the end of the tunnel. While not a silver bullet, proactive dependency management can reduce many of these risks if a few best practices are followed:

■ Focus on High-Quality Components: Prioritize high-quality open source components. Projects supported by recognized foundations exhibit better security practices and fewer vulnerabilities.

■ Leverage Intelligent Software Composition Analysis (SCA): Implementing intelligent SCA tools can enhance developer efficiency and risk management without altering workflows.

■ Utilize Automation to Enhance Collaboration and Save Developer Time: Implement scalable automation for dependency management to reduce conflicts between security and engineering teams, freeing up to 5% of engineering capacity. By updating components only when necessary, automation minimizes false positives, reduces noise and saves valuable developer time.

■ Integrate Advanced Reachability Analysis: Combining reliable automation with advanced reachability analysis empowers developers to produce high-quality software more quickly. This approach enables security teams to focus on actionable vulnerabilities, further enhancing overall security.

■ Make SBOM Practices Standard: Implementing SBOMs as a core practice provides visibility into software components, essential for quickly identifying and remediating vulnerabilities. Organizations should treat SBOM management as a fundamental part of their security protocols.

By prioritizing better dependency management, organizations can significantly improve their security posture and operational efficiency, ensuring they remain competitive and resilient against evolving threats to the software supply chain.