Supply chain attacks on open source repositories reach new heights
There has been a huge 650% year-over-year increase in upstream supply chain attacks Open source public repositories, according to a new report.
Interestingly, despite the risk, cybersecurity Sonatype’s seventh annual report on the state of the software supply chain notes strong growth in the supply of and demand for open source software.
“This year’s State of the Software Supply Chain report demonstrates, once again, how open source is both an essential fuel for digital innovation and an ideal target for supply chain attacks. software procurement, ”said Matt Howard, EVP of Sonatype.
We take a look at how our readers are using VPNs with streaming sites like Netflix so that we can improve our content and offer better advice. This survey will take no more than 60 seconds of your time, and we would greatly appreciate your sharing your experiences with us.
>> Click here to launch the survey in a new window
This year’s report analyzed the supply, demand and security operational trends associated with four popular open source projects serving popular programming language ecosystems, namely Java (Maven Central), Javascript (npmjs), Python (PyPI) and .Net (nuget).
Popular projects are more vulnerable
The report notes that the demand for open source software increased by 73% in 2021, with developers expected to download more than 2.2 trillion open source packages from the four major ecosystems.
Sonatype’s analysis revealed that the top four open source ecosystems now contain a total of 37,451,682 different component versions, which is a 20% increase over last year.
However, the security company also points to the surprising increase in attacks “aimed at exploiting weaknesses in upstream open source ecosystems.”
A threat analysis found popular projects to be more vulnerable, with 29% of them containing at least one known security vulnerability.
The figure drops to 6.5% when it comes to finding vulnerabilities in less popular project versions. Sonatype sees this as a sign that security researchers (blackhat and whitehat) are concentrating their efforts on the most used projects.
Sonatype’s research is not the first to highlight the pressing need to secure the open source software supply chain. Veracode came to a similar conclusion earlier this year, based on an analysis of 13 million crawls from over 86,000 repositories, with a total of over 301,000 unique open source libraries.
Last year, the Linux Foundation brought in Microsoft, GitHub, Google, IBM, Red Hat and JPMorgan and others to create the Open Source Security Foundation (OpenSSF) with the aim of improving open source security. Earlier this year, the group announced the Dashboard project, to help clean up the open source software supply chain.
