Four upgrades per year is best development practice, says Sonatype survey
Development teams should aim for a minimum of four releases every year, upgrading at least 80% of their dependencies with each release, according to research by Maryland-based software company Sonatype.
The findings were published in Sonatype’s latest State of Software Supply Chain survey, which also found respondents reporting a 71% increase in open source breaches over the past five years. The survey is designed to establish best practices exhibited by open source software projects and commercial application development teams, and analyses the supply and consumption of open source components.
From the research, Sonatype concluded that a higher frequency of dependency updates statistically results in more secure code, empowering components against attacks to the supply chain. This is especially important, according to Sonatype, because adversaries are now taking advantage of an attack vector whereby vulnerabilities can be injected directly into open source project releases. These attacks are particularly high-risk for financial services; when malicious code infiltrated the build chain of cryptocurrency wallet Agama in June 2019, it endangered over $13m in cryptocurrency assets.
“We have long advised organisations that they should rely on the fewest open source components suppliers with the best track records in order to develop the highest quality and lowest risk software,” said Wayne Jackson, CEO of Sonatype. “For organisations who tame their software supply chains through better supplier choices, component selection, and use of automation, the rewards revealed in this year’s report are impressive. Use of known vulnerable component releases were reduced by 55%.”