News and Notes from the Makers of Nexus | Sonatype Blog

What 36,000 OSS projects and 12,000 commercial dev teams taught us about secure coding practices

Written by Derek Weeks | June 25, 2019

After ten months of research which involved studying 36,000 open source software projects, 12,000 enterprise development teams, and 3.7 million open source releases, we are pleased to announce the arrival of the 2019 State of the Software Supply Chain report.

This year's report is different. We partnered with research partners Gene Kim from IT Revolution, and Dr. Stephen Magill from Galois and CEO of Muse, to objectively examine and empirically document, for the first time, the attributes of exemplary development practices, especially in relation to secure coding practices. But, as in year's past, we've also analyzed the rapidly expanding supply and continued exponential growth in demand of open source components.

Not all open source projects are created equal

For the past four years, we've studied the ins and outs of the software supply chain - what it's comprised of, how vulnerabilities are getting in and how often, the growing regulations, and most recently, a new trend where adversaries are purposely attacking the supply chain with malicious components.

For our fifth anniversary of the report, we wanted to look deeper. We wanted to understand exactly how enterprise development teams, and potentially even more importantly how OSS projects were thinking about, and addressing, the software supply chain security issues. We wanted to understand and identify the very best practices so we could share them with others.

As a result of our research, we identified five common behavior patterns across 36,000 open source development teams. This includes, identifying attributes of large and small Exemplars who rest within the top 3% -- or 1,229 -- OSS project development behaviors.

To arrive at this list we examined a large number of variables including:

  • Do differences exist in how effectively OSS projects update their dependencies and fix vulnerabilities?

  • Are there exemplary teams that do this better than others?

  • Are components from exemplary teams more widely-used than "non-exemplary" components?

  • What factors correlate with exemplary components?

  • What advice can be offered to producers of OSS components and the developers that consume them?

The answers were quite striking - and the resulting data even more illuminating. While the report identifies Small Exemplars and Large Exemplars, we've also identified three additional groups of OSS projects - Laggards, Features First, and Cautious.

Exemplary commercial DevSecOps practices create superior software

There are clear, competitive advantages for teams with exemplary DevSecOps practices.

As we've been saying for years "Innovation is critical, speed is king, and open source is at center stage." Today's research further underscores these accelerating trends throughout the software supply chain. It also shows that taming the supply chain is possible. By making better supplier choices, component selection, and using automation, dev teams are seeing impressive rewards. In fact, for those development teams actively managing their software supply chains, the use of known vulnerable component releases were reduced by 55%.

This year's report details 11 other behaviors and attributes of leading enterprise development teams, including their frequency of software releases, use of repository managers, and reliance on software bill of materials (SBOM).

Download the full report

This year's research collaboration with Gene and Stephen has shed new light on exemplary development and DevOps practices. It gives us great pleasure each year to share our observations with you. We invite you to read the report, reflect on its findings with regard to your own development efforts, and share any feedback you have on the findings with us.