Cyberattacks (or protests) from inside the developer community
The 2021State of the Software Supply Chain, the 6th Annual Report on Global Open Source Software Development is an analysis of developer trends based on a Sonatype survey of over 30,000 software developers from 160 countries.
A key finding of the report is a 430% growth in next-generation cyberattacks that actively target open source software projects. The attacks noted over the past twelve months are novel in that they no longer manifest themselves as passive exploits of known weaknesses, but as attackers, actively planting malware in open source projects. This means that the global open source community must distinguish between legacy supply chain exploits and next-generation supply chain attacks.
Over the past seven years, Sonatype has analyzed the patterns and practices associated with Java components downloaded from the central repository, finding that in 2019, 10.4% of billions of downloads had at least one known vulnerability. One in ten OSS downloads are vulnerable.
As issues like the war in Ukraine have become the agenda of many in the tech community, the open source community has had to deal with protest in the form of code in a form of social activism. The report suggests that hosting all necessary developer components locally will help mitigate any potential protest or activist action.
The wisdom of this practice can be seen in the link between positive outcomes for High Performers (see below) and the practice of maintaining a centralized record of applications, their dependencies, and associated development teams.
Given the increase in application vulnerabilities, it’s no surprise that standards bodies and governments are beginning to implement new standards to secure software supply chains: in America, the Open Chain Specification, version 2.0 is being implemented with the objective of providing a benchmark for building trust between organizations that exchange software solutions comprised of open source software.
In the UK, the National Cyber Security Center has released new guidelines and provided eight questions to help development teams assess their OSS components and reduce security risks.
The report’s ultimate conclusion is that productivity doesn’t have to come at the expense of reduced safety. The full report can be downloaded here.
Other findings of the report are as follows:
According to the report, Python remains the second most widely used programming language, with 15.7 million users. This is no surprise, since 70% of data science and machine learning experts use Python for their projects. The fastest growing languages are Rust and Kotlin, with usage tripling and doubling between Q1 2020 and Q1 2022 respectively. Meanwhile, mainstays like C, C++ and PHP have largely retained their user bases .
Types of developers: The report further assesses the personalities of the developers with respect to their work personas. In summary,
- 52% of developers rate themselves as balanced or versatile
- 8% of developers are particularly intellectually curious personality types
- 5% of developers are particularly responsible and cooperative
- 5% of developers are very success-oriented and stable
- And 2% of developers say they are introverted
Low-code/No-code: The advent of low-code/no-code tools has had an effect on the low-complexity part of the software industry. More experienced developers don’t tend to use these tools, with only 46% of professionals using them, and when they do use them, they account for less than a quarter of professionals’ development work.
Group mentalities: Cluster analysis from a survey of open source management practices identified four clusters, labeled as High Performers, Low Performers, Security First, and Productivity First. These groups all had markedly different performance levels and practice patterns. Almost all factors were statistically different in each cluster.
- High Performers: Displays high productivity and excellent risk management results
- Low performance: Showed low productivity and poor risk management results
- Safety first: Low productivity, but great risk management results
- Productivity first: high productivity recorded, but poor risk management results
Fundamentally, High Performer results were achieved through a combination of culture, development practices, policy enforcement, automation, and integrations applied throughout the development lifecycle. High performing enterprise development teams have shown 26x faster detection and remediation of open source vulnerabilities.