MacStadium announced that it has obtained Cloud Security Alliance (CSA) Security, Trust & Assurance Registry (STAR) Level 1, meaning that MacStadium has publicly documented its compliance with CSA’s Cloud Controls Matrix (CCM), and that it joined the Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.
The State of Software Supply Chain 2023
October 05, 2023
In 2023, twice as many software supply chain attacks took place as 2019-2022 combined, according to State of the Software Supply Chain Report from Sonatype.
Source: Sonatype
Sonatype logged 245,032 malicious packages in 2023. One in eight open source downloads today pose known and avoidable risks.
Nearly all (96%) vulnerabilities are still avoidable. 2.1 billion OSS downloads with known vulnerabilities in 2023 could have been avoided because a better, fixed version was available — the exact same percentage as in 2022. For every suboptimal component upgrade made, there are typically 10 superior versions available.
Only 11% of open source projects are "actively maintained." Sonatype analyzed 1,176,407 open source projects across four major ecosystems and saw an 18% decline in "actively maintained" open source projects. The finding demonstrates the importance of constant vigilance from consumers in tracking the health of dependencies over time. The report highlights suboptimal open source consumption habits as the root cause of open source risk, contrary to public discourse often linking security risk with open source maintainers. In fact, the report demonstrates that maintainers, on average, promptly address and resolve issues.
"A lot of maintainers are very diligent — Big Tech companies go out of their way to hire talented people to maintain libraries they rely on," says Brian Fox, CTO at Sonatype. "Our industry needs to direct its efforts towards the right place. The fact that there's been a fix for almost all downloads of components with a known vulnerability tells us an immediate focus should be supporting developers on becoming better decision-makers, and giving them access to the right tools. The goal is to help developers be more intentional about downloading open source software from projects with the most maintainers and the healthiest ecosystem of contributors. This will not only create safer software, but also recoup nearly two weeks of wasted developer time each year."
Amidst rising software supply chain attacks, there's also a continued disconnect between perceived security and reality in software development:
■ Organizations think they have their software supply chains under control: 67% of respondents feel confident that their applications do not rely on known vulnerable libraries. Yet, nearly 10% of respondents reported their organizations had security breaches due to open source vulnerabilities in the last 12 months.
■ Awareness and mitigation of open source vulnerabilities lacks urgency in many organizations: The report found that 39% of organizations discover vulnerabilities within one to seven days; 29% take over a week to become aware and 28% discover within one day. When it comes to mitigation, 36.2% of respondents require over a week to mitigate vulnerabilities.
Developers play a pivotal role in driving progress, innovation, and excellence. Findings further highlight the direct relationship between developer productivity and access to superior tools and high-quality open source components. While investigating solutions for reducing security risks and time wasting, Sonatype discovered that:
■ Open source projects that are consistently maintained outperformed their counterparts on critical software security best practices. Compared to less-maintained libraries, consistently maintained projects tend to score:
- 5.9x higher on SAST
- 5.4x higher on Signed Releases
- 5.1x higher on Dependency Update Tools
- 3.6x higher on Code Review
- 3.8x higher on Branch Protection
■ Optimal dependency management saves time, money, and decreases security risk: When teams use better security data that reduce false positive findings by 25%, in combination with making optimal upgrade decisions, each team saves a total 1.5 months of time, per application, per year. This equates to a 2X boost in time saved over just making optimal upgrades.
"Impactful change necessitates clear direction," adds Fox. "For both better and worse, today's software organizations face an overwhelming amount of options for addressing these issues — from a multitude of frameworks to weekly governmental guidance, and more. All that choice is ripe to create paralysis, making it hard to get started."
Among the spike in software supply chain vulnerabilities, there are signs of developers taking measures to improve efficiencies and security posture. The report shows the use of AI/ML components in software development surging by 135% in less than a year, largely owing to the massive efficiencies the technology affords software developers, in addition to how quickly AI/ML components can be integrated into software development workflows. That said, developers and organizations face significant challenges in developing their own AI products.
"While AI/ML technology has become more accessible than ever, there are still significant implementation challenges. Developers and data scientists have to choose from hundreds of thousands of options for models and libraries," says Stephen Magill, Vice President of Innovation at Sonatype. "Choosing open source solutions comes with all of the familiar requirements around managing open source security risk. Choosing proprietary solutions can come with high costs. And in both cases, licensing of both the models and the model outputs can be very uncertain."
Industry News
May 08, 2024
The Cloud Native Computing Foundation® (CNCF®) released the two-day schedule for CloudNativeSecurityCon North America 2024 happening in Seattle, Washington from June 26-27, 2024.
May 08, 2024
Sumo Logic announced new AI and security analytics capabilities that allow security and development teams to align around a single source of truth and collect and act on data insights more quickly.
May 08, 2024
Red Hat is announcing an optional additional 12-month EUS term for OpenShift 4.14 and subsequent even-numbered Red Hat OpenShift releases in the 4.x series.
May 08, 2024
HAProxy Technologies announced the launch of HAProxy Enterprise 2.9.
May 08, 2024
ArmorCode announced the general availability of AI Correlation in the ArmorCode ASPM Platform.
May 08, 2024
Octopus Deploy launched new features to help simplify Kubernetes CD at scale for enterprises.
May 08, 2024
Cequence announced multiple ML-powered advancements to its Unified API Protection (UAP) platform.
May 07, 2024
Oracle announced plans for Oracle Code Assist, an AI code companion, to help developers boost velocity and enhance code consistency.
May 07, 2024
New Relic launched Secure Developer Alliance.
May 07, 2024
Dynatrace is enhancing its platform with new Kubernetes Security Posture Management (KSPM) capabilities for observability-driven security, configuration, and compliance monitoring.
May 07, 2024
Red Hat announced advances in Red Hat OpenShift AI, an open hybrid artificial intelligence (AI) and machine learning (ML) platform built on Red Hat OpenShift that enables enterprises to create and deliver AI-enabled applications at scale across hybrid clouds.
May 07, 2024
ServiceNow is introducing new capabilities to help teams create apps and scale workflows faster on the Now Platform and to boost developer and admin productivity.
May 06, 2024
Red Hat and Oracle announced the general availability of Red Hat OpenShift on Oracle Cloud Infrastructure (OCI) Compute Virtual Machines (VMs).
May 06, 2024
The Software Engineering Institute at Carnegie Mellon University announced the release of a tool to give a comprehensive visualization of the complete DevSecOps pipeline.
