“We’ve long advised organizations to rely on the fewest open-source components suppliers with the best track records,” says Wayne Jackson, Sonatype CEO.

It turns out you can have too much of a good thing. According to the 2019 edition of the “State of the Software Supply Chain Report,” the latest boom in open-source software can lead to more vulnerabilities, technical debt and costs.

This is the fifth edition produced by Sonatype and, like previous versions, the sample size is gigantic: 36,000 open-source project teams, 3.7 million open-source releases, 12,000 engineering teams and two surveys for a combined participation of over 6,200 people. You can download the report, free with email registration, here.

Researchers found a 75 percent growth in supply of open-source component releases over the past two years, counterbalanced by a 71-percent increase in confirmed or suspected open-source related breaches since 2014.

“We’ve long advised organizations to rely on the fewest open-source components suppliers with the best track records in order to develop the highest quality and lowest risk software,” says Wayne Jackson, Sonatype CEO. The report recommends companies “tame their software supply chains” through better supplier choices, component selection and use of automation thereby reducing vulnerable components by 55 percent.

Best practices

Beyond not overloading on components, researchers found a number of characteristics common to successful teams who tended to be larger, release software twice as fast and tinker away on projects that are six times more downloaded than other teams. Less obvious? These teams were dedicated to the workaday drudgery of updating dependencies and pushing patches.

“Good development teams consider out-of-date libraries a code quality issue,” Jeremy Long, founder of the OWASP Dependency Check project says about the findings. “They build time into their schedule to upgrade their dependencies.”

The report found these open-source superstars 10 times more likely to schedule dependency updates as part of their daily work. They are also on top of vulnerabilities – clocking median times to remediate (MTT) that are 3.4 times faster than less-successful teams and they are 27 percent more likely than “laggard teams” to already be protected when new vulnerabilities crop up. Teams in the bottom 20 percent for median time to update (MTTU) and stale dependencies were the furthest behind in terms of “update hygiene,” the report found.

For projects looking to ramp up, the report still advises investing development effort on new features and bug fixes but committing similar resources to dependency management. “This means that developers maintaining open-source software projects who are considering adding a new dependency and looking for a metric to guide that choice should focus on those dependencies with fast MTTU,” report authors state.

In another interesting finding — contrary to the evergreen argument that there are too many — the report notes that successful teams are four times more likely to be housed in open-source foundations rather than traditional companies.

Check out the full report here.