There has been a huge 650% year-over-year increase in upstream supply chain attacks open source public repositories, according to a new report.
Interesting, despite the risk, cybersecurity Sonatype's seventh annual report on the state of the software supply chain notes strong growth of open source software supply and demand.
"This year's State of the Software Supply Chain Report demonstrates, once again, how point open source is both an essential fuel for digital innovation and an ideal target for software supply chain attacks, "said Matt Howard, executive vice president.utif from Sonatype. TechRadar needs you!
We take a look at how our readers are using VPNs with streaming sites like Netflix in order to improve our content and offer better advice. This survey will take no more than 60 seconds of your time, and we would be very grateful if you could share your experiences with us.
>> Click here to launch the survey in a new window <<
Popular projects are more vulnerable
The report notes that demand for open source software increased by 73% in 2021, with developers expected to download more than 2.2 trillion open source packages from the four major ecosystems.
The analySonatype revealed that the four major open source ecosystems now contain a total of 37,451,682 different component versions, which is a 20% increase over last year.
However, The security company also highlighted the surprising increase in attacks "aimed at exploiting weaknesses in upstream open source ecosystems.
A threat analysis found popular projects to be more vulnerable, with 29% of containing at least one known security vulnerability.
The figure drops to 6.5% when it comes to finding vulnerabilities in less popular project versions. Sonatype sees this as a sign that security researchers (blackhat and whitehat) are focusing their efforts on the most used projects.
Sonatype's research is not the first to highlight the urgent need to securing the supply chain of softwareiels open source. . Veracode came to a similar conclusion earlier this year , based on an analysis of 13 million crawls from over 86,000 repositories, with a total of over 301,000 unique open source libraries.
Last year, the Linux Foundation integrated Microsoft, GitHub, Google, IBM, Red Hat and JPMorgan, and others to create the Open Source Security Foundation (OpenSSF) for the purpose to improve open source security. Earlier this year, the group announced the Scorecard project , to help clean up the open source software supply chain.