Earlier today, experts have uncovered 88,000 malicious open source packages so far this year, a triple-digit increase on the same figure in 2019 and indicative of a fast-growing corporate attack surface.
Sonatype’s eighth annual State of the Software Supply Chain report, which was compiled from public and proprietary data analysis, has revealed the figures including 131 billion Maven Central downloads and thousands of open source projects.
Notably, it details the growing risk to corporate systems from both malicious packages inserted into repositories by threat actors, and accidental vulnerabilities that are unwittingly downloaded by DevOps teams.
Additionally, the surge in malicious activity is testament to the growing use of open source packages by these teams to speed time-to-market. Sonatype estimated that open source requests would exceed three trillion this year.
It appears that the sheer scale of open source consumption and the extra complexity introduced by software dependencies can mean threats and vulnerabilities are missed by developers, the vendor argued.
Accordingly, it claimed that the average Java application now contains 148 dependencies – 20 more than last year. With the average Java project updating 10 times a year, developers must track intelligence on nearly 1500 dependency changes annually for each application they work on, Sonatype estimated.
Although, visibility into these development environments appears to be lacking: transitive dependencies accounted for six out of every seven bugs affecting open source projects over the past year, it claimed.
It’s now known that overall, 96% of open source Java downloads containing known vulnerabilities could have been avoided, because a better version was available but for some reason wasn’t used, the report noted.
..Support the originator by clicking the read the rest link below.
