The 2021State of the Software Supply Chain, the 6th Annual Report on Global Open Source Software Development is an analysis of developer trends based on a survey of over 30,000 software developers from 160 countries, produced by Sonatype.
A key finding from the report is a 430% growth in next-generation cyber-attacks that actively target open source software projects. The attacks noted over the last twelve months are new in that they no longer manifest as passive exploitations of known weaknesses, but as aggressors, actively implanting malware into open source projects. That means the world’s open source community must distinguish between legacy supply chain exploits and next-generation supply chain attacks.
Open-source security
Over the last seven years, Sonatype has analyzed the patterns and practices associated with Java components downloaded from the Central Repository, finding that in 2019, 10.4% of the billions of downloads had at least one known vulnerability. One in ten OSS downloads are vulnerable.
As issues like the war in Ukraine have risen on the agenda of many in the tech community, the open source community…