Sonatype today during a virtual All-Day DevOps (ADD) event shared the results of a report that finds there has been a 156% increase in the number of malicious open source packages year-over-year, reaching more than 512,847 for a 156% increase in the past year.
More troubling still, the report notes that 95% of the time when vulnerable components are consumed by application developers, a fixed version already exists.
Sonatype CTO Brian Fox said the 10th Annual State of the Software Supply Chain Report makes it clear that despite repeated warnings, there remains a significant amount of complacency that will eventually lead to security breaches. Even though there is an updated version of nearly every vulnerable package available, 80% of application dependencies are not addressed for more than a year, the report finds.
In addition, the report notes that many of the critical vulnerabilities that need to be addressed are becoming more challenging to remediate. In some instances, critical vulnerabilities discovered this year required more than 500 days to fix.
That suggests maintainers of packages are struggling to cope with a growing backlog of vulnerabilities that are being discovered, said Fox.
In the meantime, consumption of open-source software only continues to increase. The Sonatype analysis of data collected from more than seven million open-source projects finds that there have been an estimated 6.6 trillion downloads of these packages in the past year.
Specifically, consumption of Python (PyPI) increased by 80%, reaching more than 530 trillion package requests, while JavaScript (npm) downloads increased by 70%, to reach 4.5 trillion package requests.
On the plus side, however, the report does confirm that open-source projects that have paid maintainers are nearly three times more likely to have a comprehensive security policy. Additionally, components with paid support resolve outstanding vulnerabilities up to 45% faster and typically have half as many vulnerabilities overall.
While a lot of progress has been made in terms of the adoption of best DevSecOps practices, the report makes it clear there is still much work to be done. The challenges are as much cultural as they are technical, in the sense that organizations still need to impress upon developers the need to scan code as they create it, noted Fox. At the same time, organizations also need to operationalize software bill of materials (SBOMs) to make it simpler to discover where packages are actually running whenever a new vulnerability is discovered, noted Fox.
Additionally, many organizations are still looking for instances of well-known vulnerabilities such as Log4j, where 13% of downloads remained vulnerable three years after the Log4Shell vulnerability was initially discovered.
One way or another, however, the overall quality of application security is going to improve as regulations become more stringent. Governments around the world are signaling they are going to hold organizations more accountable for the security of the applications they deploy. The challenge, of course, is finding a way to address those requirements before a hefty fine makes it apparent to everyone concerned that not enough is being done to address the issue.