The average UK businesses downloaded over 21,000 software components with a known vulnerability in the past year alone, new research from Sonatype has today revealed.
Out of the average 248,000 open source components downloaded by UK firms in 2018, 8.8% had a known security flaw, according to Sonatype’s fifth annual Software supply chain report, based on data from 12,000 enterprise development companies globally.
Of these vulnerabilities, a huge 30% – some 6300 – are deemed to be critical, posing a serious risk to the security of software.
“These findings are evidence of a worrying trend of vulnerable components being built into applications, with one in 10 open source components downloaded in 2018 containing a known security vulnerability,” said a spokesperson. “51% of JavaScript package downloads also had a known flaw, demonstrating the scale of the challenge facing organisations.”
A reliance on open source in enterprise: Necessary for digital transformation
Against the doom and gloom findings, there are also reasons to be cheerful with the report identifying breakthrough coding practices which are proven to significantly mitigate threats. The findings also revealed a minor decrease in vulnerable downloads from one in eight in 2017 to one in 10 last year, as businesses improve software supply chain management.
The report also found that developers who used the latest versions of open source component dependencies will radically reduce their cyber risk.
“We have long advised business that they should rely on the fewest open source components suppliers with the best track records in order to develop the highest quality and lowest risk software,” said Wayne Jackson, CEO of Sonatype. “For organisations who tame their software supply chains through better supplier choices, component selection, and use of automation, the rewards revealed in this year’s report are impressive. Use of known vulnerable component releases were reduced by 55%.”
Why the UK must invest more resource into cyber security—now