What 36,000 OSS Projects and 12,000 Commercial Dev Teams Taught Us About Secure Coding Practices
After ten months of research which involved studying 36,000 open source software projects, 12,000 enterprise development teams, and 3.7 million open source releases, we are pleased to announce the arrival of the 2019 State of the Software Supply Chain report.
This year’s report is different. We partnered with research partners Gene Kim from IT Revolution, and Dr. Stephen Magill from Galois and CEO of Muse, to objectively examine and empirically document, for the first time, the attributes of exemplary development practices, especially in relation to secure coding practices. But, as in year’s past, we’ve also analyzed the rapidly expanding supply and continued exponential growth in demand of open source components.
Not All Open Source Projects Are Created Equal
For the past four years, we’ve studied the ins and outs of the software supply chain – what it’s comprised of, how vulnerabilities are getting in and how often, the growing regulations, and most recently, a new trend where adversaries are purposely attacking the supply chain with malicious components.
For our fifth anniversary of the report, we wanted to look deeper. We wanted to understand exactly how enterprise development teams, and potentially even more importantly how OSS projects were thinking about, and addressing, the software supply chain security issues. We wanted to understand and identify the very best practices so we could share them with others.
As a result of our research, we identified five common behavior patterns across 36,000 open source development teams. This includes, identifying attributes of large and small Exemplars who rest within the top 3% — or 1,229 — OSS project development behaviors.
To arrive at this list we examined a large number of variables including:
- Do differences exist in how effectively OSS projects update their dependencies and fix vulnerabilities?
- Are there exemplary teams that do (Read more...)
*** This is a Security Bloggers Network syndicated blog from Sonatype Blog authored by Derek Weeks. Read the original post at: https://blog.sonatype.com/2019ssc
