One in 10 Open Source Components Downloaded by UK Firms Contain a Known Vulnerability

  • Many companies are still using the flawed Struts component, which was responsible for the Equifax breach
  • There is a slight decrease in vulnerable downloads as businesses improve software supply chain management.
  • Better supplier choices, component selection and use of automation can bring impressive rewards


Vulnerable open source software components are posing a security threat to UK firms, according to Sonatype’s 2019 State of the Software Supply Chain report.

Out of the average 248,000 open source components downloaded by UK businesses in 2018, 8.8 percent were found to have a known security flaw.

Out of the vulnerabilities in open source software downloaded by UK firms, 30 percent were classified as critical. The report noted that these findings reveal a worrying trend of vulnerable components being built into applications.

Findings in the report are based on analysis of 36,000 open source software projects, 12,000 enterprise development teams, and 3.7 million open source releases.

Derek, vice president and DevOps advocate at Sonatype, reiterated what they have been saying for years “Innovation is critical, speed is king, and open source is at center stage.”

Sonatype’s latest research further underscores these accelerating trends throughout the software supply chain and also shows that taming the supply chain is possible, he wrote in a blog post.

Vulnerable downloads fall in 2018

The report also found that many companies are still using the flawed Struts component, which was responsible for the Equifax breach and attacks on at least eight other major institutions.

Downloads of the flawed Struts component increased by 11 percent in the 12 months after the Equifax breach, with an average of 2.1 million downloads a month, according to the report.

However, businesses have also started adopting breakthrough coding practices, which has resulted in significant reduction in threats.

The findings also showed a slight decrease in vulnerable downloads from one in eight in 2017 to one in 10 in 2018, as businesses improve software supply chain management.

Ways to reduce security risk

Developers using the most current versions of open source component dependencies can dramatically reduce their cyber security risk, the report said.

“By making better supplier choices, component selection, and using automation, dev teams are seeing impressive rewards. In fact, for those development teams actively managing their software supply chains, the use of known vulnerable component releases were reduced by 55 percent,” Derek said.

Enterprise development teams using software supply chain automation are also 12 times more likely to have automated tools to manage open source dependencies and are 9.3 times more likely to proactively remove problematic or unused dependencies, the report noted.




Please enter your comment!
Please enter your name here