Over the past decade, the world of open source software has undergone a seismic transformation, both in terms of its scale and challenges.
From the explosion of open source adoption to the evolution of software supply chain attacks, the last 10 years have reshaped how developers, organizations, and even governments interact with open source.
Our recently published State of the Software Supply Chain report explores these changes in depth. Let's dive into a few key topics from the report, highlighting how the transformation and evolution of open source continue to impact the software industry.
The rise of open source: A double-edged sword
In the early 2010s, open source gained momentum, but few could have predicted just how integral it would become to modern software development.
Today, open source components make up to 90% of modern software applications, and the number of requests for open source packages continues to soar. In 2024, we expect total open source downloads to exceed 6.6 trillion. Ecosystems like npm and PyPI have driven this growth, with npm projected to handle 4.5 trillion requests by year-end.
However, this growth has also introduced challenges. The rise in open source usage has increased associated risks, with a surge in discovered vulnerabilities and 704,102 malicious packages identified since 2019.
Malicious packages and the software supply chain threat
Over the past decade, the rise of software supply chain attacks has been alarming. Incidents like 2014's Heartbleed and 2017's Equifax breach highlighted the danger of unpatched security vulnerabilities in open source components.
These events showed the software supply chain's fragility as attackers found that compromising one component could have widespread effects. Software ecosystems became more interconnected, and so did the threat landscape.
By 2024, software supply chain attacks doubled, with more malicious actors taking aim at developer infrastructure. This shift to targeted attacks marks a new era of cybersecurity threats organizations must be prepared to face.
A decade of regulation and best practices
The evolving threat landscape has not gone unnoticed. In the past decade, governments and regulatory bodies introduced frameworks aimed at improving software supply chain security.
The Cyber Supply Chain Management and Transparency Act of 2014 proposed the idea of a software bill of materials (SBOM), which has since become a cornerstone of modern supply chain security practices. Although the act did not become law at the time, it laid the groundwork for current regulations like Executive Order 14028.
By 2024, SBOMs are essential for software transparency and risk mitigation. However, there's a gap between published SBOMs and new components. In 2024, 72,065 SBOMs were published, but this is overshadowed by the number of new components, underscoring the need for broader adoption.
Persistent challenges: Vulnerability remediation and resource strain
Over the past decade, managing vulnerabilities has become increasingly complex. As software supply chains have expanded, vulnerabilities have surged. From 2013 to 2023, CVE reports increased by 463%, highlighting the issue's magnitude.
Unfortunately, vulnerability remediation hasn't kept pace. In 2017, some fixes were implemented in under 25 days. By 2024, many projects took over 400 days to address known vulnerabilities, with some critical issues taking up to 500 days. This trend poses a serious risk to organizations relying on open source, as unpatched vulnerabilities are more likely to be exploited.
Lessons learned and the road ahead
Over the past 10 years, open source has accelerated innovation and introduced new risks. The growing use of open source components and the rise of supply chain attacks have changed software development and security. While steps like SBOMs are positive, much work remains.
Moving forward, organizations must adopt proactive security measures, improve dependency management, and invest in automation to tackle the backlog of vulnerabilities.
Dive into our data and read more about the evolution of open source in our 10th annual State of the Software Supply Chain report.
