2023 Predictions: What Will Happen in Software Supply Chain Governance?

Around this time last year, InfoWorld called 2022 the “the year of software supply chain security.” Unfortunately, one year later still feels very much like we’re back at the beginning. Our data shows software supply chain attacks are on a radical incline, increasing an average of 742% yearly since 2019. Bad actors continue to target open source project ecosystems–and there’s no reason to believe next year will be different.

Increase in Software Supply Chain attacks since 2019.

These attacks seem to correspond with the ongoing growth of the software supply chain. Our data on open source component downloads is showing continued growth for the top four development ecosystems.

Sponsorships Available

Sponsorships Available

Sponsorships Available

Download trends by ecosystem since 2018

On top of this, modern applications consist of 85% third-party open source components. One report surveyed IT leaders, who expect to increase their use of open source software by 80% for emerging technologies.

The use of open source in software development is a great success story for the tech industry. But the growth, widespread nature of open source software, and ease of publishing make it an attractive target for bad actors.

Today we look ahead with the help of experts at Sonatype to see what changes in development practices, open source security, and regulation will define 2023.

The year of the SBOM

Thanks to the steady pro-regulation drumbeat of industry leaders, increasing federal requirements stemming from President Biden’s Cybersecurity Executive Order, and the wake of the SolarWinds breach, the idea of needing a Software Bill of Materials (SBOM) is catching on.

The topic is also gaining prominence outside the U.S., with Japanese and European (the Cyber Resilience Act) SBOMs expected in the coming year.

However, many organizations treat their creation as a simple checkbox for policy compliance, and not (Read more...)