Attacks on software supply chains increased dramatically in 2023, with an increase of 200% compared to 2022, according to Sonatype’s new report. Also, vulnerabilities are still present in downloaded dependencies, which is a reason why more regulations and processes in software development are needed.

This research from Sonatype, a U.S.-based company specializing in software supply chain management and security, also covers developers’ challenges and the possible benefits to using AI security solutions.

Jump to:

Attacks on open source software to spread malicious packages

According to Sonatype’s report, 2022 saw a massive increase of malicious attacks on the open source software supply chain, which has kept growing in 2023. The year-over-year monitoring shows 245,032 malicious packages as of September 2023, which is three times the number of malicious packages seen in 2022 or two times all previous years combined (Figure A). Sonatype’s research is in line with the European Union Agency for Cybersecurity’s reporting in late 2022 that the compromise of software supply chains through software dependencies is the number one emerging threat.

Figure A

Number of malicious packages in software repositories.
Number of malicious packages in software repositories. Image: Sonatype   

Because of this huge increase in attacks, many open-source systems have implemented new security policies and improvements, such as mandatory multifactor authentication for developers; however, oftentimes, malicious packages are handled the same as packages with vulnerabilities, meaning they’re taken down the same way as vulnerabilities, which is inappropriate for malicious content, as the packages might stay online longer for that reason.

Of the survey respondents, this is how long it takes to mitigate a vulnerability in their organization from the moment it is detected (Figure B):

  • Between a week and never: 39%
  • Less than a day: 19.2%
  • More than a week: 36.2%
  • Less than an hour: 3.1%

Figure B

Time to remediate known vulnerabilities after detection.
Time to remediate known vulnerabilities after detection. Image: Sonatype

Regarding repository downloads, nearly 96% of components downloads with known vulnerabilities could be avoided, as fixes were already available at the time of download. This shows that organizations must pay closer attention to the versions of software they install. As a bad example, vulnerable versions of Log4j still account for nearly a quarter of all new downloads of that software.

From the average 37.8 billion monthly downloads from the Maven Central repository, 3.97 billion vulnerable components were consumed.

“Our industry needs to direct its efforts towards the right place. The fact that there’s been a fix for almost all downloads of components with a known vulnerability tells us an immediate focus should be supporting developers to become better decision-makers, and giving them access to the right tools,” said Brian Fox, chief technical officer at Sonatype, in an interview with TechRepublic.

Growth in entire open source ecosystem

It’s also interesting to note that the whole open source ecosystem has grown. The top four major open source ecosystems — Java (Maven), JavaScript (rpm), Python (PyPI) and .NET (NuGet Gallery) — all show a YoY percentage between 27% and 28% for project growth, with 367,000 up to 2.5M projects per ecosystem (Figure C).

Figure C

Top four major open source software ecosystems statistics for 2023.
Top four major open source software ecosystems statistics for 2023. Image: Sonatype

This growth shows an increase in software productivity after a slowdown between 2020 and 2022, probably due to the COVID-19 pandemic. Another explanation, according to Sonatype, could be that ” … a lot of these projects are in fact coming from commercial activity and not people with spare time, which was in abundance during the pandemic.”

Fighting vulnerabilities in open source software

The best method for identifying vulnerabilities in software is code review (Figure D), where code changes are peer-reviewed before being put online.

Figure D

The most useful elements to identify vulnerabilities in open source projects.
The most useful elements to identify vulnerabilities in open source projects. Image: Sonatype

Second comes the binary checks: When a package contains a binary, it needs to be properly checked for vulnerabilities. Project dependencies also need to be pinned to specific versions.

Branch protection is necessary on the “default” and “release” branches to prevent maintainers from circumventing workflows such as continuous integration tests or code review when updating.

In addition, it’s important to use projects that are well-maintained, because they show lower rates of vulnerabilities. As stated by Sonatype, ” … enterprises looking to minimize their open source vulnerability risk should choose well-maintained projects that perform code review and monitor them to ensure they have not reached end-of-life.”

SEE: Checklist: Network and systems security (TechRepublic Premium)

Developers’ challenges and the open source dependency management problem

Software supply chain security is complex and is impacted by various factors. For instance, in addition to developers’ programming challenges, they face responsibilities in their work, such as making informed choices regarding open-source components for their software projects. The dependency management has been known as “dependency hell” in developers’ communities and is very difficult to deal with.

As an example, the average Java application needs 148 dependencies, with around 10 annual releases. For developing that application, the developer needs to carefully select and manage those 148 dependencies, yet should also track an average of 1,500 dependency changes per year. That tracking needs security and legal expertise that not all developers have in order to choose the safest versions.

Adding pressure on the developers to be efficient and fast can lead to them feeling overwhelmed, resulting in weaker choices.

Those dependency choices are also altered by software popularity, which tends to bring a false feeling of safety, as popular code isn’t necessarily secure code. Inactive releases, which represent 85% of projects in repositories, overwhelm developers with available options.

To help resolve this problem, Sonatype has developed a scoring system based on five key dimensions: security, license, age, popularity and release stability (Figure E).

Figure E

Optimal open-source component dimensions.
Optimal open-source component dimensions. Image: Sonatype

A careful analysis of those components facilitates decisions in software supply chain management. It’s also recommended to use repository management software that can be customized to organizations’ needs and helps developers to stop wasting time in handling too many updates.

Software supply chain regulations

While we’re still in the early stages of regulations for software supply chains, it seems important enough to see guidance and regulation emerge in many countries. The regulatory actions from key countries such as the U.S., Europe, U.K., Australia, Canada, Japan and New Zealand show a shared motivation to improve digital defenses and protect organizations’ infrastructures.

Software manufacturers are likely to face more responsibilities and liabilities when their software doesn’t inherently integrate a security feature, while robust processes to address cybersecurity incidents need to be deployed in all organizations.

More international collaboration will be necessary to increase security in software development. As stated by Sonatype in its report, regulations ” … as well as future related initiatives will play a pivotal role in shaping the future of cybersecurity policies and practices at scale worldwide.”

Benefits to using AI-driven security solutions

Artificial intelligence and machine learning are technologies with the power to reshape software development.

AI has been broadly adopted according to the survey, with 97% currently incorporating generative AI in their workflow to some degree. And, 47% of DevOps and 57% of SecOps respondents reported the use of AI saved them more than six hours a week.

From a security point of view, AI-driven solutions can identify vulnerabilities or bugs in software code faster and more efficiently than traditional methods. There are benefits for developers of all levels.

Senior developers can leverage AI tools to complete tedious tasks and develop parts of their code, while junior developers benefit from having AI tools answer their questions efficiently while providing insight into technical terms and jargon. Both junior and senior developers can use queries to develop basic code fast while allowing them to focus on more complex issues in their projects. AI tools might even be used as valuable debugging tools in addition to producing code.

Be careful when deploying and monitoring AI tools

AI tools, particularly large language models, need careful monitoring and shouldn’t operate in an automated way. LLMs might experience false information or hallucinations, which should be detected and cared for.

LLM-as-a-service accelerates development and improves performances, yet might be costly (enterprises pay for each token sent and received) when heavily used. Moreover, the organizations subscribing to it are ” … vulnerable to vendor outages, deprecated features, or unforeseen changes in model performance that may not align with the specific task at hand” as stated by Sonatype.

When used in organizations, open-source LLMs must be carefully deployed. The models used must be carefully chosen (there are more than 300,000 models available) according to the application and tuned to the computational requirements and performance of the structure. A licensing risk exists; a model that’s released under a license that restricts commercial use or requests specific conditions might lead to a terms violation if not examined carefully.

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday