8th Annual State of the Software Supply Chain
Software
Supply Chain
What follows is our 8th Annual State of the Software Supply Chain report, which analyzes how software is developed, the industry's reliance on open source software, and the good and bad of that dependence. With this in-depth research, we hope to provide not just understanding of today’s software development lifecycle, but recommended changes that can make software supply chains more secure, and the lives of developers easier.
As in year’s past, this year saw tremendous growth in demand for open source, as well as the need for effective management. We’ve hit an inflection point, and development teams must address software supply chain attacks and select better open source projects. We also look at current software development best practices, how developers perceive themselves versus performance, and the widespread benefits of improved morale.
Likely the most serious development this year is an approaching collision of two critical issues in our industry: the continued growth of open source security concerns along with a dramatic legislative response by governments worldwide.
Regulation comes to the software supply chain
On January 1, 1968, Title 49 of the United States Code Motor Safety Standard went into effect. This law requires all vehicles, not including buses, to be fit with seat belts for all designated seating positions in the vehicle. State laws requiring mandatory usage would soon follow.
Today most of us wouldn't think twice about buckling up—even for a trip around the block. The idea of preemptive safety has been instilled in us, but it took some time for us to appreciate the necessity. Now it is common practice.
In every facet of life in the developed world, our lives are blanketed with regulations that aim to remove risk from an increasingly technical world. Speed limits, stock trading requirements, stringent controls over pilot hours in the skies, et al. And we generally observe these safety measures as they have, for the most part, become habit-forming, and we accept the idea that they are good for us.
What would it mean to buckle up in software development?
We are in year two of the Presidential Executive Order put forth in the United States addressing the software supply chain in the areas of cybersecurity—aiming to reduce risk. Other countries have followed suit. Later in the report, you'll note there are several new developments worldwide in 2022 spawned by the initial Executive Order. Japan for example, hosted the Open Source Security Summit in August 2022, and the European Union has put forth proposed legislation with the Cyber Resilience Act in September 2022.
While designed to reduce risk and secure software supply chains, these developments don't yet come with mandatory enforcement. As such, enterprises and developer methodologies vary remarkably, as do outcomes.
Indeed, applying a best practices construct versus a casual approach yields dramatic differences regarding how software supply chains are secured. This edition of the State of the Software Supply Chain Report reflects the symbiotic nature of good practices and good outcomes and the counter—poor practices and poor outcomes. The inspiration for the report was and continues to be to provoke developer level software supply chain practices that improve how we can and should work to create positive outcomes and fulfilling work experiences.
We continue to draw from public and proprietary data sources to illustrate a host of issues with effective supply chain management. We'll look at:
- Ongoing growth of the software supply chain, as well as persistent security concerns
- Insights on choosing the best dependencies for your projects
- Developer behavior and recommendations
- A look at enlightened supply chain management and perception versus reality for maturity
- Current and upcoming regulation status on an International level
This report is a look into data-backed methodologies in the open source ecosystem and the impact on the software supply chain. Enjoy the read and buckle up!
Foreword
Enhancing software supply chain security is a priority issue for the open source community. Recent exploitations, from Log4j to crypto heists tied to open source repositories, have proven costly, not only in financial terms, but in terms of loss of trust. At the Linux Foundation (LF), we've engaged stakeholders across the open source ecosystem to build more trusted software supply chains, understanding that only through a coordinated effort to implement security best practices can we create the necessary foundations for more secure software. And within this landscape, Sonatype has been a reliable and trusted partner.
Among the important security initiatives at the LF include the formation of the Open Source Security Foundation, the hosting of recent Open Source Security Summits in North America, Europe, and Japan, the creation of free security-related training courses, such as how to use Sigstore and SLSA levels to secure software supply chains, as well as the engagement of executive leaders in government and enterprise. And in pursuing further research, highlighted by the formation of LF Research as a capability in 2021, we're actively engaged in supporting coordinated open source software security efforts through trusted data generation.
Current research on open source - including measuring supply and demand, identifying trends in contribution levels, and exploring security-related challenges and readiness - is a sought-after resource for the formation of open source strategy and guiding the implementation of best practices. Organizations like Sonatype are leading the much-needed empirical research effort to help answer critical questions around open source trends at a broad level, with an increasing focus on security. Recent research from the LF identifies the most widely used software applications (with the Laboratory of Innovation Science at Harvard), explores software bill of materials (SBOM) readiness, identifies gaps in organizational software development practices, and uncovers challenges facing the maintainer and committer community. And in the process of producing research, we know we can't operate on our own. It takes a community to build data-driven insights—the type that encourages development teams to apply sound and secure methodologies.
Sonatype's annual research reports are a vital part of the open source data and insights landscape, and this year's report is no exception. New data on dependency management, standards adoption, velocity, and yes - the efficacy of security metrics - including the Open Source Security Foundation Scorecard, will guide decision makers with increasing confidence. Sonatype's 8th Annual State of the Software Supply Chain is an important resource that will inform high-impact actions across the ecosystem, and empower all facets of the open source community to reach consensus on important issues. We at the Linux Foundation wholeheartedly support this work.
Hilary Carter
VP Research
The Linux Foundation