Sonatype analysis reveals a 73 percent surge in open-source demand

Ryan Daws is a senior editor at TechForge Media, with a seasoned background spanning over a decade in tech journalism. His expertise lies in identifying the latest technological trends, dissecting complex topics, and weaving compelling narratives around the most cutting-edge developments. His articles and interviews with leading industry figures have gained him recognition as a key influencer by organisations such as Onalytica. Publications under his stewardship have since gained recognition from leading analyst houses like Forrester for their performance. Find him on X (@gadget_ry) or Mastodon (@gadgetry@techhub.social)


A report from Sonatype has revealed a 73 percent surge in the demand for open-source despite a year of high profile vulnerabilities.

The growing use of open-source to keep up with the pace of modern development makes it a prime target for cybercriminals. We’ve seen this multiple times in practice over the past year with devastating attacks like that on SolarWinds even making national headlines for its widespread implications.

In fact, Sonatype’s report highlights a 650 percent year-on-year increase in supply chain attacks aimed at upstream public repositories.

“This year’s State of the Software Supply Chain report demonstrates, yet again, how open source is both critical fuel for digital innovation and a ripe target for software supply chain attacks,” said Matt Howard, EVP of Sonatype.

The leading four open-source ecosystems now feature a combined 37,451,682 different versions of components. The aforementioned 73 percent surge in demand means that, in 2021, developers are expected to download more than 2.2 trillion open source packages from the top four ecosystems.

“While developer demand for open source continues to grow exponentially, our research shows for the first time just how little of the overall supply is actually being utilised,” added Howard. “Further, we now know that popular projects contain disproportionately more vulnerabilities.

“This stark reality highlights both a critical responsibility and opportunity for engineering leaders to embrace intelligent automation so they can standardise on the best open-source suppliers and simultaneously help developers keep third-party libraries fresh and up to date with optimal versions.”

It’s well-known that PC users suffer from more hacks than their Mac counterparts. However, it’s not necessarily that PCs are less secure but their popularity makes them a more valuable target.

The most popular open-source projects are also the most vulnerable. Sonatype notes how 29 percent of popular projects suffer from at least one known security vulnerability compared to 6.5 percent of unpopular projects.

Developers that want to reduce their risks should look at the mean time to update (MTTU) of a project. The projects with a faster MTTU were found to be 1.8x less likely to have vulnerabilities.

However, the report makes clear that developers make “suboptimal” choices 69 percent of the time when updating third-party dependencies. Newer versions of projects are generally better but it must be considered that it’s not always the case.

You can find a full copy of Sonatype’s 2021 State of the Software Supply Chain report here.

(Photo by SpaceX on Unsplash)

Want to learn about DevOps from leaders in the space? Check out the DevOps-as-a-Service Summit on 1 February 2022, where attendees will learn about the benefits of building collaboration and partnerships in delivery.

Tags: , , , , , , , , , , , , ,

View Comments
Leave a comment

Leave a Reply

Your email address will not be published. Required fields are marked *