Supply chain automation company Sonatype produces what it calls itsSoftware Supply Chain Report every year (now in its third) in an attempt tohighlights alleged risks lurking within open source software components. <\/p>\n
Access the latest thinking in AI and machine learning, and look at how these technologies could help your IT department <\/p>\n
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers. <\/p>\n
You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy. <\/p>\n
The firm gets quite puritanical and says it wants to quantify the empirical benefits of actively managing so-called software supply chain hygiene. <\/p>\n
Theres a big claim being made here and it reads as follows organisations that are actively managing the quality of open source components flowing into production applications are realising: <\/p>\n
Sonatype specialises in technology areas which includeautomated governance tools within the context of what we now understand to be the DevOps discipline. <\/p>\n
With the above fact (and perhaps a pinch of salt) in mind then, we can learn that analysis of more than 17,000 applications reveals that applications built by teams utilising automated governance tools reduced the percentage of defective components by 63%. <\/p>\n
Companies are no longer building software applications from scratch, they are manufacturing them as fast as they can using an infinite supply of open source component parts. However, many still rely on manual and time consuming governance and security practices instead of embracing DevOps-native automation. Our research continues to show that development teams managing trusted software supply chains are dramatically improving quality and productivity, said Wayne Jackson, CEO, Sonatype. <\/p>\n
The wider claims here (from Sonatype) include suggestions that even when vulnerabilities are known, open source software projects are slow to remediate if they do so at all. Only 15.8 percent of OSS projects actively fix vulnerabilities, and even then the mean time to remediation was 233 days. <\/p>\n
This says the firm puts the onus on DevOps organisations to actively govern which opens source OSS projects they work with, and which components they ultimately consume. <\/p>\n
The full report is available here. <\/p>\n
<\/p>\n