:
Skip Navigation
Resources Blog From risks to resilience: Best practices for software ...

From risks to resilience: Best practices for software supply chain security

From risks to resilience: Best practices for software supply chain security
5:10

As software supply chains evolve in complexity, managing security risks has become an ever-changing challenge. New threats emerge daily, driven by rapid innovation and the heavy reliance on open source components.

Without disciplined security practices and robust controls, organizations struggle to keep pace with the demands of dependency management and timely vulnerability remediation.

In our latest State of the Software Supply Chain report, we cover best practices that not only manage software dependencies effectively but also proactively reduce risks associated with open source.

Informed selection of open source components

Choosing open source components goes beyond popularity metrics. Components with active and responsive communities tend to be more reliable and faster in addressing vulnerabilities.

Prioritizing those with high fix rates and low remediation times ensures better security and a lower Persistent Risk — a metric that denotes unresolved and potentially corrosive vulnerabilities.

By selecting components that publish a software bill of materials (SBOM), organizations add a layer of transparency and accountability, further reducing risks.

Comprehensive quality assessment framework

Building a robust quality assessment framework requires going beyond surface-level metrics like stars or forks on GitHub.

Instead of relying solely on popularity, organizations should actively evaluate risk factors such as latency — the average time it takes to discover vulnerabilities — which provides a clearer picture of a project’s long-term reliability.

Proactive dependency management

Dependency management is vital for maintaining security across the software development life cycle (SDLC). Automated tools that continuously audit dependencies can identify risks in real-time, allowing teams to implement updates as soon as fixes become available.

This practice mitigates risks by addressing vulnerabilities quickly, preventing what we call "aging like steel" — where older components become progressively more vulnerable over time.

Reducing complacency in maintenance

Organizations can establish policies that ensure regular updates and reviews of all dependencies, especially those that haven't been updated in over a year.

Tools that offer real-time alerts for outdated or vulnerable dependencies serve as a "smoke detector" for software, signaling when action is genuinely needed. These policies prevent complacency and ensure that developers remain proactive in their security practices.

Vigilance against open source malware

As the scale of open source reaches unprecedented levels, the risk of open source malware infiltrating software supply chains continues to escalate.

Recent data from popular ecosystems highlights the scope of the challenge:

  • JavaScript (npm): Accounted for 4.5 trillion requests in 2024, reflecting a 70% year-over-year growth.

  • Python (PyPI): Estimated to reach 530 billion requests by the end of 2024, marking an 87% year-over-year increase.

  • Malicious packages: Over 512,847 malicious packages were identified in the past year alone — a 156% increase compared to the previous year.

This explosive growth has fueled a rise in next-generation supply chain attacks, which often target developers directly. Traditional security tools often falter in detecting such attacks, highlighting the necessity for rigorous vetting processes and proactive monitoring.

To mitigate these risks, organizations should adopt a cautious approach when integrating new or lesser-known components. Identify optimal well-maintained component versions and stay vigilant against the rising malicious threats that target less commonly used projects.

Continuous improvement and collaboration

Organizations that participate in open source projects or industry initiatives benefit from staying ahead of emerging threats.

Aligning with groups like the Open Source Security Foundation (OSSF), which also produced the Open Source Consumption Manifesto, fosters collaboration across the community and helps companies refine their open source policies to meet evolving challenges.

Security is a universal issue

As cybersecurity regulations tighten worldwide, organizations must be vigilant and compliant to avoid penalties and safeguard their software.

Our report highlights recent regulations, including:

All of these guidelines make a strong case for more secure development practices for vendors serving federal entities. Compliance is essential to meet these evolving standards and ensure a secure, well-managed supply chain.

Discover more insights in our full report

For a deeper dive into strategies and statistics around open source risk management, check out our full 2024 State of the Software Supply Chain report.

Picture of Aaron Linskens

Written by Aaron Linskens

Aaron is a technical writer on Sonatype's Marketing team. He works at a crossroads of technical writing, developer advocacy, software development, and open source. He aims to get developers and non-technical collaborators to work well together via experimentation, feedback, and iteration so they can build the right software.