The use of open source software exploded in 2015, almost doubling from the year before. But concerns about software quality and security have followed, as application developers take advantage of an ever broadening open source supply chain of every varying quality.
The firm Sonatype, which manages the world’s largest repository of open source components, reported that it received 31 billion download requests from its Central Repository during 2015, up from over 17 billion such requests in 2014. The average enterprise downloaded 229,000 open source components during the same period.
However, software quality continues to be an issue, with a survey of 25,000 applications revealing that close to 7% percent of components in use had a known security defect that could lead to successful attacks, Sonatype warned.
The data comes from the company’s 2016 State of the Software Supply Chain Report, the second such report the company has published. It surveys data from Sonatype’s Central Repository, a public repository of open source components for the Java development community to reveal high level trends within the open source industry. Sonatype also tapped data from other open source repository including RubyGems.org, NPM, DockerHub and Nexus, the company’s private repository.
In 2015, that data showed a hockey-stick like curve marking the increase in open source component use and activity across the space. Sonatype said that the volume of open source download requests has increased 64 times over since 2007, driven by a shift in application development towards a component-based architecture that heavily relies on open source to accelerate development by leveraging already-created software components.
Software development today closely resembles “how physical goods, like automobiles, are manufactured,” the report concludes.
While good for output, the embrace of software supply chains heavily rooted in open source poses real risks, as well, the report makes clear. An analysis of 380,000 open source projects revealed that components are updated an average of 14 times a year, with half of all projects releasing new versions between three and 10 times a year.
That flux can make it difficult for downstream consumers of those components to keep abreast of the latest version of open source code, and can allow known vulnerabilities in open source components to lurk, unpatched, within applications. Data from 2014 indicated that 59% of open source projects with known security vulnerabilities in their dependencies were never repaired. Among the 41 percent of open source projects that did fix known security holes, the average repair time was more than a year – 390 days.
Furthermore, old and vulnerable components are often re-used even when updates are available. Just over six percent (6.1%) of downloads from Sonatype’s Central Repository in 2015 contained a known vulnerability, a figure that was almost unchanged from a year earlier. 71,000 software components in the company’s Central Repository ad known security vulnerabilities associated with them in 2015, the company reported. And while downloads don’t equate to use, a study of 25,000 application scans revealed that a very similar share of components – 6.8% – contained at least one known security vulnerability.
The message, said Weeks, is that quality issues pervade software development supply chains from end to end – from download of a software component (or “part”) to its incorporation in a finished application (or “product”). “It says that there is not enough hygiene between the two points to maintain the highest quality,” Weeks said. “We’re seeing software vulnerabilities flow from one end to the other.”
The incident was akin to an automobile assembly line grinding to a halt because supplies of a single bolt dry up, and underscore the precarious conditions under which many software development shops operate.
Sonatype advocates for software development organizations to institute processes that increase accountability and quality control. Software development shops should develop a software “build of materials” that accounts for everything that goes into a product. That way, defects in any one component are easy to isolate and fix.
The infamous Heartbleed vulnerability in OpenSSL underscored how difficult it can be to assess the impact of a serious flaw without that basic accountability.
Weeks said that companies should also consider moving to local code repositories to make them more resilient and less vulnerable to hiccups in global software supply chains like the npm-gate incident. Using local repositories as gates to local development environments also allows software development firms to get a grip on software procurement: allowing a small group of knowledgeable and designated individuals assess any new open source or proprietary code before it is introduced to a development environment. As it stands: organizations often leave it individual developers leeway to use whatever components they prefer – essentially crowd sourcing procurement in a way that is hard to police.
“Toyota might have 200,000 workers on their assembly line, but they don’t have 200,000 people in procurement,” Weeks said.
Quality and oversight will become even more important as software comes to run more critical systems, including those that control our physical environment and even bodily functions. While it might be easy to push updates and fixes to connected home products, the bar for doing so to pacemakers and implantable medical devices will be higher, requiring more forethought and planning, Weeks said.