I did not have to ask ChatGPT to already know that cybersecurity is a top priority for any CTO today. The threads are rising and getting more and more sophisticated:
- Ransomware payouts double 2022 vs 2023
- Data Breaches and cybercrime reach 8 trillion last year
The defense for known hacking efforts spending grew by 11% vs LY. Many regulations created lately in the US and Europe reflect this concern, as any cybersecurity breach can affect our daily life.
My focus on this post will be on the software supply chain, as this is where we are closer at Morean building software for a living. One of our main priorities is that the software we build is secure for our customers.
No matter what the language is, 90% of the code runned in production is open source. As stated in Sonatypes 9th Annual State of the Software Supply Chain:
“Consider this: last year, we revealed that a staggering 85% of projects in Maven Central — the largest public repository for Java open source components — are inactive. In other words, developers are faced with a perplexing array of choices, with only a fraction of them leading to active, well-maintained projects. Yet, we also found, and re-affirmed this year, that 96% of all vulnerable downloads from Maven Central, had known fixes available”.
First some figures to get you scared:
- 1 in 8 open source downloads have known risk.
- Last year 245,000 malicious packages discovered (2X of all previous years combined)
- 18.6% of open source projects across Java and JavaScript are no longer maintained.
- 96% of vulnerable downloaded releases had a fixed version available.
- 10 superior versions of components are typically available for every nonoptimal component upgrade made.
The growth of open source adoption continues, with the top five languages in GitHub accounting for 60% according to PYPL language popularity index.
Don’t panic! Thanks to companies like Sonatype we can all learn how to best manage the software supply chain process in a secure way, getting the best of the open source world.
“There are so many choices to make, and only with the right tools, the right automation, can developers truly be set up for success”
When you are building software, and want to make it secure, there are some key actions to take:
- Public Repos : Sonatype Repository Firewall
Avoid getting Harm from the outside
2. Your Repo: Sonatype Nexus Repository
Manage Binaries and Built artifacts.
3. Your Inventory: Sonatype Lifecycle
Continuously Identify risk, enforce policy, and remediate vulns across every phase of the SDLC.
4. Your SBOM: Sonatype SBOM Manager
Industry´s only enterprise – Class SBOM Solution
Sources:
https://www.sonatype.com/state-of-thesoftwaresupplychain/introductionhttps://pypl.github.io/PYPL.html
