Software Supply Chain Attacks Soar 742% in Three Years

Written by

Experts have uncovered 88,000 malicious open source packages so far this year, a triple-digit increase on the same figure in 2019 and indicative of a fast-growing corporate attack surface.

The figures come from Sonatype’s eighth annual State of the Software Supply Chain report, which was compiled from public and proprietary data analysis, including 131 billion Maven Central downloads and thousands of open source projects.

It details the growing risk to corporate systems from both malicious packages inserted into repositories by threat actors, and accidental vulnerabilities that are unwittingly downloaded by DevOps teams.

The surge in malicious activity is testament to the growing use of open source packages by these teams to speed time-to-market. Sonatype estimated that open source requests would exceed three trillion this year.

The sheer scale of open source consumption and the extra complexity introduced by software dependencies can mean threats and vulnerabilities are missed by developers, the vendor argued.

It claimed that the average Java application now contains 148 dependencies – 20 more than last year. With the average Java project updating 10 times a year, developers must track intelligence on nearly 1500 dependency changes annually for each application they work on, Sonatype estimated.

However, visibility into these development environments appears to be lacking: transitive dependencies accounted for six out of every seven bugs affecting open source projects over the past year, it claimed.

Overall, 96% of open source Java downloads containing known vulnerabilities could have been avoided, because a better version was available but for some reason wasn’t used, the report noted.

Unfortunately, many organizations appear to be operating under a false sense of security.

The report revealed that 68% of survey respondents were confident that their applications are not using vulnerable libraries. However, a random sample of enterprise applications showed that 68% contained known vulnerabilities.

“Immature organizations expect their developers to stay on top of license compliance concerns, multiple project releases, dependency changes, and open source ecosystem knowledge along with their regular job responsibilities. This is in addition to external pressures like speed,” explained Sonatype CTO, Brian Fox.

“It comes as no surprise that job satisfaction is heavily linked to software supply chain practices maturity. This sobering reality demonstrates the immediate need for organizations to prioritize software supply management so that they can better deal with security risk, increase developer efficiency, and enable faster innovation.”

What’s hot on Infosecurity Magazine?