Harness and Traceable have entered into a definitive merger agreement, creating an advanced AI-native DevSecOps platform.
The explosion of open source software consumption, combined with the increasing backlog of critical vulnerabilities and the rise of outside threats, paints an alarming picture of the current state of software supply chain security. Sonatype's State of the Software Supply Chain Report highlights the biggest issues plaguing development teams, revealing how cyber attacks are evolving and emphasizing the need for better defense.
The Current Software Supply Chain Security Landscape
Open source is experiencing a time of unprecedented growth, with an estimated 6.6 trillion downloads of open source packages at the end of 2024. However, this surge in consumption also brings a host of new threats. With open source accounting for up to 90% of modern software applications, the software supply chain has become a primary target for bad actors. For example, at the same time the JavaScript ecosystem has experienced a 70% year-over-year increase in requests, it has also seen a 156% year-over-year increase in malicious packages — totaling more than 512,847 in the past year alone.
This is just one example of the urgent need for greater risk mitigation within software development. The problem contributing to this persistent risk is two-fold. First, there is a lack of discipline in selecting and managing open source components. Despite updated versions available for over 99% of packages, 80% of application dependencies remain un-upgraded for over a year. On top of that, when vulnerable components are consumed, a fixed version already exists 95% of the time. Second, traditional scanning tools and endpoint security products cannot detect new open source malware, meaning DevOps teams often aren't even aware they're at risk until malware is already present in their build environments.
As threats continue to increase, organizations must mitigate them proactively. This starts with developers adopting a "security-first" mindset, one that prioritizes responsible dependency management, leverages advanced tools and focuses on earlier intervention. Doing so is the only way to minimize risk before it's too late.
The Need For Proactive Dependency Management
Organizations must prioritize proactive dependency management, high-quality component selection and vigilance against vulnerabilities to mitigate escalating risks. A Software Bill of Materials (SBOM) is an essential tool in this approach, as it offers a comprehensive inventory of all software components, enabling organizations to quickly identify and address vulnerabilities across their dependencies. In fact, projects that implement an SBOM to manage open source software dependencies demonstrate a 264-day reduction in the time taken to fix vulnerabilities compared to those that do not. SBOMs provide a comprehensive list of every component within the software, enabling quicker response times to threats and bolstering overall security.
However, despite the rise in SBOM usage, it is not keeping pace with the influx of new components being created, highlighting the need for enhanced automation, tooling and support for open source maintainers. In the past year, 60,813 SBOMs were published while 6,971,092 new components were created within the same timeframe, which demonstrates the critical gap in software transparency that exacerbates risks from unmanaged dependencies and persistent vulnerabilities.
This complacency — characterized by a false sense of security — accumulates risks that threaten the integrity of software supply chains. The rise of open source malware further complicates the landscape, as attackers exploit poor dependency management. Recent malicious npm packages, for example, concealed macOS malware in travis.yml files, deploying binaries disguised as legitimate updates. These incidents show how attackers use public repositories to infiltrate development environments. To secure their environments effectively, software manufacturers must adopt rigorous practices and advanced tooling.
Best Practices for Reliable Dependency Management
Despite the increasing challenges, there is a light at the end of the tunnel. While not a silver bullet, proactive dependency management can reduce many of these risks if a few best practices are followed:
■ Focus on High-Quality Components: Prioritize high-quality open source components. Projects supported by recognized foundations exhibit better security practices and fewer vulnerabilities.
■ Leverage Intelligent Software Composition Analysis (SCA): Implementing intelligent SCA tools can enhance developer efficiency and risk management without altering workflows.
■ Utilize Automation to Enhance Collaboration and Save Developer Time: Implement scalable automation for dependency management to reduce conflicts between security and engineering teams, freeing up to 5% of engineering capacity. By updating components only when necessary, automation minimizes false positives, reduces noise and saves valuable developer time.
■ Integrate Advanced Reachability Analysis: Combining reliable automation with advanced reachability analysis empowers developers to produce high-quality software more quickly. This approach enables security teams to focus on actionable vulnerabilities, further enhancing overall security.
■ Make SBOM Practices Standard: Implementing SBOMs as a core practice provides visibility into software components, essential for quickly identifying and remediating vulnerabilities. Organizations should treat SBOM management as a fundamental part of their security protocols.
By prioritizing better dependency management, organizations can significantly improve their security posture and operational efficiency, ensuring they remain competitive and resilient against evolving threats to the software supply chain.
Industry News
Endor Labs announced a partnership with GitHub that makes it easier than ever for application security teams and developers to accurately identify and remediate the most serious security vulnerabilities—all without leaving GitHub.
Are you using OpenTelemetry? Are you planning to use it? Click here to take the OpenTelemetry survey.
GitHub announced a wave of new features and enhancements to GitHub Copilot to streamline coding tasks based on an organization’s specific ways of working.
Mirantis launched k0rdent, an open-source Distributed Container Management Environment (DCME) that provides a single control point for cloud native applications – on-premises, on public clouds, at the edge – on any infrastructure, anywhere.
Hitachi Vantara announced a new co-engineered solution with Cisco designed for Red Hat OpenShift, a hybrid cloud application platform powered by Kubernetes.
Onapsis announced Onapsis Control Central for SAP application security testing and custom code security supporting RISE with SAP transformations.
Progress announced its recognition in the 2025 Gartner Magic Quadrant for Digital Experience Platforms.
Copado announced comprehensive DevOps support for Salesforce Data Cloud deployments, enabling organizations to streamline the development and deployment of Agentforce solutions.
Appfire announced its acquisition of Flow, an enterprise software product for Software Engineering Intelligence (SEI), from Pluralsight.
Check Point® Software Technologies Ltd. announced new Infinity Platform capabilities to accelerate zero trust, strengthen threat prevention, reduce complexity, and simplify security operations.
WaveMaker announced the release of WaveMaker AutoCode, an AI-powered plugin for the Figma universe that produces pixel-perfect front-end components with lightning fast accuracy.
DoiT announced the acquisition of PerfectScale, an automated Kubernetes (K8s) optimization and governance platform.
Parasoft earned a top spot as a Leader and Fast Mover in the latest GigaOm Radar Report on API Functional Automated Testing.
Linux Foundation Europe and OpenSSF announced a global joint-initiative to help prepare maintainers, manufacturers, and open source stewards for the implementation of the EU Cyber Resilience Act (CRA) and future cybersecurity legislation targeting jurisdictions around the world.