According to security reports, the substantial continuous progress of open-source supply and demand dynamics has been recently revealed. The report shows a 650% yearly increase in supply chain attacks regarding supply chain attacks and an enthralling division between the level of known cyber vulnerabilities present in popular and non-popular versions of a project.
A survey was conducted amongst 702 software engineering professionals. The responses concluded that the researchers observed a vital division between subjective beliefs regarding software chain management practices and objective results calculated among 100,000 applications.
The report has also assessed the operational demand, supply, and security trends linked to Java, Phyton, .Net, and JavaScript ecosystems. Moreover, a study was also conducted regarding the past 12 months of software engineering practices collected from 100,000 production applications and 4,000,000 component migrations completed by developers.
Summary of open-source supply, demand, and security dynamics in numbers
The open-source supply has increased to 20%, while the demand has risen to 73%. Followed by the percentage of attacks which has increased up to 650% so far this year. Production applications have only been utilized to up to 6% of available projects, while popular projects have become more vulnerable, with 29% of its versions consisting of no less than one known vulnerability in security.
Identified empirical metrics to find the top open-source projects
Research states that projects with a faster MTTU are more likely to be secured, and they have at least 1.8 times improbability to be exposed to vulnerabilities.
While it is found that popularity is not considered a reliable forecaster of security, it is 2.8 times probable to have consisted of cyber vulnerabilities.
The reality of software supply chain management practices
It is known that subjective survey feedback and objective data indeed have a sort of division. Some developers think that their way of fixing defective components has been so far effective. Therefore they conclude to have understood the origination of the risks. However, research indicates that some development groups lack well-planned guidance and often make poor decisions concerning software supply chain management.
