Managed Software Supply Chain Delivers Increased Productivity and Quality
August 28, 2017

Pete Goldin

Organizations that are actively managing the quality of open source components flowing into production applications are realizing a 28 percent improvement in developer productivity, a 30 percent reduction in overall development costs, and a 48 percent increase in application quality, according to the 2017 State of the Software Supply Chain Report from Sonatype.

Furthermore, analysis of more than 17,000 applications reveals that applications built by teams utilizing automated governance tools reduced the percentage of defective components by 63 percent.

Conversely, organizations failing to manage software supply chains are unwittingly releasing vulnerable applications into production, wasting thousands of hours on rework and bug fixes, and facing increased liability due to gross negligence.

Additional key findings of the 2017 State of the Software Supply Chain report include:

Consumption of open source components is growing on a massive scale

■ Year-over-year downloads of Java components grew 68 percent (52 billion in 2016), JavaScript downloads grew 262 percent (59 billion in 2016), and demand for Docker components is expected to grow 100 percent (12 billion downloads).

■ Faced with a near infinite supply of open source components, high-functioning DevOps organizations are utilizing machine automation to govern the quality of open source components flowing through their software supply chains.

Open source component suppliers remain slow to fix vulnerabilities

■ Even when vulnerabilities are known, OSS projects are slow to remediate - if they do so at all. Only 15.8 percent of OSS projects actively fix vulnerabilities, and even then the mean time to remediation was 233 days.

■ This puts the onus on DevOps organizations to actively govern which OSS projects they work with, and which components they ultimately consume.

Number of downloaded components with known vulnerabilities is slightly decreasing

■ In 2016, the percent of Java components downloaded from the Central Repository that contained known security vulnerabilities fell to 5.5 percent (1 in 18), down from 6.1 percent the year prior.  

■ Although this defect download ratio is far from perfect, there is empirical evidence that hygiene is beginning to improve with ratios declining slightly in each of the last three years.

The regulatory landscape is rapidly changing

■ In the past year in the United States, the White House, four federal agencies, and the automotive industry have released new guidelines to improve the quality, safety, and security of software supply chains.

Wayne Jackson, CEO, Sonatype, said: “Companies are no longer building software applications from scratch, they are manufacturing them as fast as they can using an infinite supply of open source component parts. However, many still rely on manual and time consuming governance and security practices instead of embracing DevOps-native automation. Our research continues to show that development teams managing trusted software supply chains are dramatically improving quality and productivity.”

Methodology: The 2017 State of the Software Supply Chain Report blends a broad set of public and proprietary data with expert research and analysis. This year’s report extends beyond Java data to include supply chain findings from JavaScript, NuGet, Python, and Docker ecosystems.

The Latest

March 19, 2018

The global DevOps market size is expected to reach USD 12.85 billion by 2025, according to a new study by Grand View Research, registering an 18.60% CAGR during the forecast period ...

March 15, 2018

More than half of companies (52%) admit to cutting back on security measures to meet a business deadline or objective, according to a SecOps research report released by Threat Stack ...

March 13, 2018

While microservices can certainly be used for greenfield projects, the survey suggests that this is not the sole source of value. In fact, more than half of respondents indicate that they are also using microservices to re-architect existing projects. The reality we see is that microservices can offer value to users along their IT transformation journey — whether they are just looking to update their current application portfolio or are gearing up for new initiatives ...

March 12, 2018

As DevOps teams and developers are looking to make 2018 the year in which technical crises are avoided, continuous testing should be at the top of their resolutions list. Here are four steps developers and DevOps teams can take to ensure the benefits of continuous testing are effectively implemented throughout the development process ...

March 08, 2018

Digital leaders will outpace their rivals by adopting methodologies and mindsets that shorten software delivery cycles. They'll also get really, really good at rapid, iterative change following design thinking principles ...

March 06, 2018

There are six major pain points that companies experience when they try to deploy and run Kubernetes in their complex environments, and there are also some best practices companies can use to address those pain points ...

March 05, 2018

With more than 30 Kubernetes solutions in the marketplace, it's tempting to think Kubernetes and the vendor ecosystem has solved the problem of operationalizing containers at scale. Far from it. There are six major pain points that companies experience when they try to deploy and run Kubernetes in their complex environments, and there are also some best practices companies can use to address those pain points ...

March 01, 2018

With the growing adoption of tablets and smartphones, companies are constantly seeking new web technologies that support multiple device types in addition to traditional desktops. At the same time, they are continually adding capabilities to their web applications that help users visualize and analyze data regardless of the platform or device used. To keep up in this changing technology environment, organizations must deliver these complex applications quickly, with high quality, and yet find ways to maximize their investment in these apps over the long haul ...

February 27, 2018

While most organizations are committed to the full adoption of both agile and DevOps, many are struggling with key challenges and missing out on the extensive benefits these practices can have on their bottom line, according to a global study by CA Technologies ...

February 26, 2018

To help understand the current state of development trends, Dimensional Research and Micro Focus worked together to create the, Managing the migration to DevOps: A global survey of software developers report. The research shows that nearly all organizations are already adopting or are taking a strong interest in the processes necessary to implement DevOps. But, there are challenges to overcome as companies because they are often running both traditional waterfall and DevOps development and release processes in tandem — and plan to support both into the future ...

Share this