Perception versus reality: A data-driven look at open source risk management
By Luke Mcbride
2 minute read time
On October 18, 2022, Sonatype published the 8th annual State of the Software Supply Chain. The report is our ongoing contribution to a growing body of knowledge and software development using third-party open source software. One of the report's primary authors and VP of Product Innovation Dr. Stephen Magill presented a talk summarizing the report with additional context, background, and data.
Key themes include:
-
Overall ongoing growth of the software supply chain, as well as an increase in dependency usage and releases.
-
Worrying trends around attacks and slow patching.
-
Better dependency management and remediation.
-
The importance of code review.
-
What the data tells us is really happening in open source and software development.
Slide from Stephen’s presentation detailing one of our key insights.
Stephen digs into research methods, data sources, and shares his own insights on the various methods for evaluating projects, including OpenSSF Scorecard and the Sonatype Safety Rating.
He also distills what we've learned in this year's report in terms of best practices for the industry. Suggestions based on the report are available for development teams, including what hard questions to ask about your organization.
Written by Luke Mcbride
Luke is a writer at Sonatype covering everything from open source licenses and liability to DevSecOps trends and container security.
Explore All Posts by Luke Mcbride