Sonatype Finds Increase in Cyber Attacks

Editorial Staff

August 12, Sonatype announced “2020 State of the Software Supply Chain”, a report on the open-source ecosystem. According to the report, the number of next-generation cyber attacks increased by a staggering 430%.

Sonatype is a vendor that provides software supply chain automation technology. Sonatype’s State of the Software Supply Chain is an annual report on the open-source ecosystem. This sixth annual report analyzes over 5,600 software developers, 24,000 open-source projects, and 15,000 development organizations.

As a result of the survey, there were 929 “next generation” attacks, from July 2019 to May 2020. The total number of attacks from February 2015 to June 2019 was 216, which means the number has surged by 430% in a year.

“Next-generation” is labeled on attacks like Octopus Scanner, which is known for having compromised projects on GitHub. By comparison with attacks like Equifax, which are tactical and involve new zero-day vulnerabilities, “next-generation” attacks target upstream open-source projects so that those vulnerabilities inevitably get distributed across the downstream.

Sonatype also reports on how enterprise software development teams respond to vulnerabilities on open-source software components. 47% of organizations said it took more than a week to be aware of new open-source vulnerabilities, and 51% said it took them more than a week to remediate the open-source vulnerabilities.

11% of the open-source components which developers build into their applications are known vulnerable, with 38 vulnerabilities discovered on average.

2020 State of the Software Supply Chain
https://www.sonatype.com/2020ssc