The use of open source components can help speed up the software development process, but it comes with a risk if poor quality code leads to vulnerable applications being released.
The latest State of the Software Supply Chain Report from DevOps tools specialist Sonatype reveals that organizations which actively manage the quality of open source components flowing into production applications realize a 28 percent improvement in developer productivity, a 30 percent reduction in overall development costs, and a 48 percent increase in application quality.
“Companies are no longer building software applications from scratch, they are manufacturing them as fast as they can using an infinite supply of open source component parts,” says Wayne Jackson, CEO of Sonatype. “However, many still rely on manual and time consuming governance and security practices instead of embracing DevOps-native automation. Our research continues to show that development teams managing trusted software supply chains are dramatically improving quality and productivity.”
It also reveals that open source component suppliers are slow to fix vulnerabilities. Only 15.8 percent of OSS projects actively fix vulnerabilities, and even then the mean time to remediation is 233 days. This puts the onus on DevOps organizations to actively govern which OSS projects they work with, and which components they ultimately…