- The software supply chain is booming and enterprises are frequently turning to open source and third party software components to decrease the amount of code they have to write, which helps accelerate deployment cycles, according to Sonatype’s 2016 State of the Software Supply Chain report released Monday.
- In 2015, developers had 31 billion download requests of open source and third party software components, compared to 17 billion requests the year before, according to analysis from Central Repository, which is managed by Sonatype.
- The average enterprise downloaded 229,000 open source components in 2015, but many had aspects that aged and became stale quickly, which could lead to increased security vulnerabilities, licensing risks or component part rework, according to the report.
More and more, companies are turning to the open source development community to supplement internal efforts, even though inherent security risks can linger. From Exxon to the U.S. Federal Trade Commission, enterprises, federal regulators and industry associations alike are starting to rely on automation to help improve the safety, quality and security of outside software components, according to the study.
Relying on third party and open source software components can diminish the time it takes for companies to deliver applications, potentially saving in-house developers hundreds of hours. Modern applications consist of between 80% and 90% component parts, according to the study. That drastically decreases the amount of code written from scratch.
"By failing to effectively manage their software supply chain, we have found that software development organizations are taking on significant technical debt that is completely avoidable," Sonatype CEO Wayne Jackson said in a statement. "Hours invested managing service interruptions and security breaches could otherwise be spent adding value for their companies and customers."
But relying on outside development is not without its drawbacks. Looking at 25,000 applications, the study found that 6.8% of the components had at least one security defect. Those tainted parts can then find their way into enterprise applications. Older software components in particular can be security risks, accounting for 77% of known vulnerabilities.
Open source software is already starting to dominate enterprises, offering companies advantages for cost, control and innovation. But companies need to remain strategic in their use of outside development, because flaws can persist. Like Sonatype, Black Duck Software also found multiple flaws in open source components, discovering that 67% of the 200 commercial applications it reviewed over a six month period contained vulnerable open source components.