As software supply chains evolve in complexity, managing security risks has become an ever-changing challenge. New threats emerge daily, driven by rapid innovation and the heavy reliance on open source components.
Without disciplined security practices and robust controls, organizations struggle to keep pace with the demands of dependency management and timely vulnerability remediation.
In our latest State of the Software Supply Chain report, we cover best practices that not only manage software dependencies effectively but also proactively reduce risks associated with open source.
Choosing open source components goes beyond popularity metrics. Components with active and responsive communities tend to be more reliable and faster in addressing vulnerabilities.
Prioritizing those with high fix rates and low remediation times ensures better security and a lower Persistent Risk — a metric that denotes unresolved and potentially corrosive vulnerabilities.
By selecting components that publish a software bill of materials (SBOM), organizations add a layer of transparency and accountability, further reducing risks.
Building a robust quality assessment framework requires going beyond surface-level metrics like stars or forks on GitHub.
Instead of relying solely on popularity, organizations should actively evaluate risk factors such as latency — the average time it takes to discover vulnerabilities — which provides a clearer picture of a project’s long-term reliability.
Dependency management is vital for maintaining security across the software development life cycle (SDLC). Automated tools that continuously audit dependencies can identify risks in real-time, allowing teams to implement updates as soon as fixes become available.
This practice mitigates risks by addressing vulnerabilities quickly, preventing what we call "aging like steel" — where older components become progressively more vulnerable over time.
Organizations can establish policies that ensure regular updates and reviews of all dependencies, especially those that haven't been updated in over a year.
Tools that offer real-time alerts for outdated or vulnerable dependencies serve as a "smoke detector" for software, signaling when action is genuinely needed. These policies prevent complacency and ensure that developers remain proactive in their security practices.
As the scale of open source reaches unprecedented levels, the risk of open source malware infiltrating software supply chains continues to escalate.
Recent data from popular ecosystems highlights the scope of the challenge:
JavaScript (npm): Accounted for 4.5 trillion requests in 2024, reflecting a 70% year-over-year growth.
Python (PyPI): Estimated to reach 530 billion requests by the end of 2024, marking an 87% year-over-year increase.
Malicious packages: Over 512,847 malicious packages were identified in the past year alone — a 156% increase compared to the previous year.
This explosive growth has fueled a rise in next-generation supply chain attacks, which often target developers directly. Traditional security tools often falter in detecting such attacks, highlighting the necessity for rigorous vetting processes and proactive monitoring.
To mitigate these risks, organizations should adopt a cautious approach when integrating new or lesser-known components. Identify optimal well-maintained component versions and stay vigilant against the rising malicious threats that target less commonly used projects.
Organizations that participate in open source projects or industry initiatives benefit from staying ahead of emerging threats.
Aligning with groups like the Open Source Security Foundation (OSSF), which also produced the Open Source Consumption Manifesto, fosters collaboration across the community and helps companies refine their open source policies to meet evolving challenges.
As cybersecurity regulations tighten worldwide, organizations must be vigilant and compliant to avoid penalties and safeguard their software.
Our report highlights recent regulations, including:
The European Union's Cyber Resiliency Act (CRA).
All of these guidelines make a strong case for more secure development practices for vendors serving federal entities. Compliance is essential to meet these evolving standards and ensure a secure, well-managed supply chain.
For a deeper dive into strategies and statistics around open source risk management, check out our full 2024 State of the Software Supply Chain report.