Software wet wipes, Sonatype advocates supply chain hygiene

Supply chain automation company Sonatype produces what it calls its Software Supply Chain Report every year (now in its third) in an attempt to highlights alleged ‘risks’ lurking within open source software components.

Software supply chain hygiene

The firm gets quite puritanical and says it wants to quantify the empirical benefits of actively managing so-called software supply chain hygiene.

There’s a big claim being made here and it reads as follows — organisations that are actively managing the quality of open source components flowing into production applications are realising:

  • a 28 percent improvement in developer productivity,
  • a 30 percent reduction in overall development costs,
  • a 48 percent increase in application quality.

Automated governance tools

Sonatype specialises in technology areas which include automated governance tools within the context of what we now understand to be the DevOps discipline.

With the above fact (and perhaps a pinch of salt) in mind then, we can learn that analysis of more than 17,000 applications reveals that applications built by teams utilising automated governance tools reduced the percentage of defective components by 63%.

“Companies are no longer building software applications from scratch, they are manufacturing them as fast as they can using an infinite supply of open source component parts. However, many still rely on manual and time consuming governance and security practices instead of embracing DevOps-native automation. Our research continues to show that development teams managing trusted software supply chains are dramatically improving quality and productivity,” said Wayne Jackson, CEO, Sonatype.

Slow to fix?

The wider claims here (from Sonatype) include suggestions that even when vulnerabilities are known, open source software projects are slow to remediate – if they do so at all. Only 15.8 percent of OSS projects actively fix vulnerabilities, and even then the mean time to remediation was 233 days.

This says the firm puts the onus on DevOps organisations to actively govern which opens source OSS projects they work with, and which components they ultimately consume.

The full report is available here.