Red Hat announced jointly-engineered, integrated and supported images for Red Hat Enterprise Linux across Amazon Web Services (AWS), Google Cloud and Microsoft Azure.
The explosion of open source software consumption, combined with the increasing backlog of critical vulnerabilities and the rise of outside threats, paints an alarming picture of the current state of software supply chain security. Sonatype's State of the Software Supply Chain Report highlights the biggest issues plaguing development teams, revealing how cyber attacks are evolving and emphasizing the need for better defense.
The Current Software Supply Chain Security Landscape
Open source is experiencing a time of unprecedented growth, with an estimated 6.6 trillion downloads of open source packages at the end of 2024. However, this surge in consumption also brings a host of new threats. With open source accounting for up to 90% of modern software applications(link is external), the software supply chain has become a primary target for bad actors. For example, at the same time the JavaScript ecosystem has experienced a 70% year-over-year increase in requests, it has also seen a 156% year-over-year increase in malicious packages — totaling more than 512,847 in the past year alone.
This is just one example of the urgent need for greater risk mitigation within software development. The problem contributing to this persistent risk is two-fold. First, there is a lack of discipline in selecting and managing open source components. Despite updated versions available for over 99% of packages, 80% of application dependencies remain un-upgraded for over a year. On top of that, when vulnerable components are consumed, a fixed version already exists 95% of the time. Second, traditional scanning tools and endpoint security products cannot detect new open source malware, meaning DevOps teams often aren't even aware they're at risk until malware is already present in their build environments.
As threats continue to increase, organizations must mitigate them proactively. This starts with developers adopting a "security-first" mindset, one that prioritizes responsible dependency management, leverages advanced tools and focuses on earlier intervention. Doing so is the only way to minimize risk before it's too late.
The Need For Proactive Dependency Management
Organizations must prioritize proactive dependency management, high-quality component selection and vigilance against vulnerabilities to mitigate escalating risks. A Software Bill of Materials (SBOM) is an essential tool in this approach, as it offers a comprehensive inventory of all software components, enabling organizations to quickly identify and address vulnerabilities across their dependencies. In fact, projects that implement an SBOM to manage open source software dependencies demonstrate a 264-day reduction in the time taken to fix vulnerabilities compared to those that do not. SBOMs provide a comprehensive list of every component within the software, enabling quicker response times to threats and bolstering overall security.
However, despite the rise in SBOM usage, it is not keeping pace with the influx of new components being created, highlighting the need for enhanced automation, tooling and support for open source maintainers. In the past year, 60,813 SBOMs were published while 6,971,092 new components were created within the same timeframe, which demonstrates the critical gap in software transparency that exacerbates risks from unmanaged dependencies and persistent vulnerabilities.
This complacency — characterized by a false sense of security — accumulates risks that threaten the integrity of software supply chains. The rise of open source malware further complicates the landscape, as attackers exploit poor dependency management. Recent malicious npm packages, for example, concealed macOS malware in travis.yml files, deploying binaries disguised as legitimate updates. These incidents show how attackers use public repositories to infiltrate development environments. To secure their environments effectively, software manufacturers must adopt rigorous practices and advanced tooling.
Best Practices for Reliable Dependency Management
Despite the increasing challenges, there is a light at the end of the tunnel. While not a silver bullet, proactive dependency management can reduce many of these risks if a few best practices are followed:
■ Focus on High-Quality Components: Prioritize high-quality open source components. Projects supported by recognized foundations exhibit better security practices and fewer vulnerabilities.
■ Leverage Intelligent Software Composition Analysis (SCA): Implementing intelligent SCA tools can enhance developer efficiency and risk management without altering workflows.
■ Utilize Automation to Enhance Collaboration and Save Developer Time: Implement scalable automation for dependency management to reduce conflicts between security and engineering teams, freeing up to 5% of engineering capacity. By updating components only when necessary, automation minimizes false positives, reduces noise and saves valuable developer time.
■ Integrate Advanced Reachability Analysis: Combining reliable automation with advanced reachability analysis empowers developers to produce high-quality software more quickly. This approach enables security teams to focus on actionable vulnerabilities, further enhancing overall security.
■ Make SBOM Practices Standard: Implementing SBOMs as a core practice provides visibility into software components, essential for quickly identifying and remediating vulnerabilities. Organizations should treat SBOM management as a fundamental part of their security protocols.
By prioritizing better dependency management, organizations can significantly improve their security posture and operational efficiency, ensuring they remain competitive and resilient against evolving threats to the software supply chain.
Industry News
Komodor announced the integration of the Komodor platform with Internal Developer Portals (IDPs), starting with built-in support for Backstage and Port.
Operant AI announced Woodpecker, an open-source, automated red teaming engine, that will make advanced security testing accessible to organizations of all sizes.
As part of Summer '25 Edition, Shopify is rolling out new tools and features designed specifically for developers.
Lenses.io announced the release of a suite of AI agents that can radically improve developer productivity.
Google unveiled a significant wave of advancements designed to supercharge how developers build and scale AI applications – from early-stage experimentation right through to large-scale deployment.
Red Hat announced Red Hat Advanced Developer Suite, a new addition to Red Hat OpenShift, the hybrid cloud application platform powered by Kubernetes, designed to improve developer productivity and application security with enhancements to speed the adoption of Red Hat AI technologies.
Perforce Software announced Perforce Intelligence, a blueprint to embed AI across its product lines and connect its AI with platforms and tools across the DevOps lifecycle.
CloudBees announced CloudBees Unify, a strategic leap forward in how enterprises manage software delivery at scale, shifting from offering standalone DevOps tools to delivering a comprehensive, modular solution for today’s most complex, hybrid software environments.
Azul and JetBrains announced a strategic technical collaboration to enhance the runtime performance and scalability of web and server-side Kotlin applications.
Docker, Inc.® announced Docker Hardened Images (DHI), a curated catalog of security-hardened, enterprise-grade container images designed to meet today’s toughest software supply chain challenges.
GitHub announced that GitHub Copilot now includes an asynchronous coding agent, embedded directly in GitHub and accessible from VS Code—creating a powerful Agentic DevOps loop across coding environments.
Red Hat announced its integration with the newly announced NVIDIA Enterprise AI Factory validated design, helping to power a new wave of agentic AI innovation.
JFrog announced the integration of its foundational DevSecOps tools with the NVIDIA Enterprise AI Factory validated design.
GitLab announced the launch of GitLab 18, including AI capabilities natively integrated into the platform and major new innovations across core DevOps, and security and compliance workflows that are available now, with further enhancements planned throughout the year.