There’s been a 71% increase in open source-related breaches over the past five years, with UK firms downloading on average 21,000 software components known to be vulnerable over the past 12 months, according to Sonatype.
The DevOps automation firm’s annual State of the Software Supply Chain report features global analysis from 36,000 open source project teams, 3.7 million open source releases, 12,000 commercial engineering teams and two surveys.
It claimed supply and demand of open source components is at an all-time high, with over 146 billion download requests of Java components in 2018: a 68% increase on 2017 figures.
Yet while these downloads help to speed up DevOps, they also introduce potential risk. The report found that over 51% of Java package downloads have a known security vulnerability, as do 1 in 10 Java component releases.
The 21,000 open source components UK firms downloaded containing known software vulnerabilities amounts to nearly 9% of all downloads made last year. More worrying still: nearly a third (30%) of these were critical vulnerabilities.
The report also highlighted the number of firms using the infamous vulnerable Apache Struts component responsible for the Equifax breach which affected an estimated half of all adult Americans.
It revealed that downloads of the component actually increased by 11% in the year following the 2017 breach — amounting to 2.1m each month.
However, there was some cause for optimism: the report revealed 295 open source projects with exemplary coding practices, using automated tools to remediate known vulnerabilities quicker and update dependencies.
"We have long advised business that they should rely on the fewest open source components suppliers with the best track records in order to develop the highest quality and lowest risk software,'' said Wayne Jackson, CEO of Sonatype. “For organizations who tame their software supply chains through better supplier choices, component selection, and use of automation, the rewards revealed in this year’s report are impressive.”