The company that provides hosting services for the Maven Central Repository says that one in sixteen downloads is for a Java component that contains a known security flaw.
Sonatype says that developers usually download 31 billion Java components per year, with over 1,000 new components and over 10,000 new component versions created daily.
Companies nowadays use managed, central component repositories for storing their code. While some use private projects, more use open-sourced code, which in some cases they download and import in their projects without proper security audits.
Sonatype estimates that between 80 and 90 percent of today’s enterprise code is actually made up of open source components, imported from public repositories.
Because security vulnerabilities are public, and because Sonatype has access to the server statistics, it is in a position like nobody else to warn developers about the dangers of using insecure or outdated components inside their code.
This warning is twice as important for companies, where if an attacker compromises an application created with the vulnerable components, the results can have a deep economic impact.
Older components have a 3x higher rate of vulnerabilities
After a study of 3,000 organizations and over 25,000 enterprise applications from several industries, Sonatype says that a company downloads about 5,000 unique components each year.
The older the components, the higher the chance to contain a security vulnerability. Even worse, 97 percent of all downloaded components cannot be easily traced or audited.
If a company wanted to fix 10 percent of the security bugs in 2,000 applications, it would need a budget of $7.42 million.
These issues introduce the need to manage the software supply chain in order to avoid future vulnerabilities. The time lost during security audits for components before being added to a project can be gained later when dealing with security bugs.
Removing the vulnerable components from such centrally managed code repositories should also become a top priority for the communities behind these projects.
Thecontains more information about the state of today’s software supply chain.