Software Supply Chain State of the Union 2024
From Innovation to Infiltration: Safeguarding Against the Hidden Dangers in Your Software Ecosystem
Copyright 2024 JFrog Ltd.
Table of Contents
Introduction | 2 |
Executive Brief | 3 |
What's in Your Software Supply Chain? | 4 |
Number of programming languages used | 5 |
New packages per year per package type | 6 |
Top technologies | 7 |
Key takeaways | 8 |
The Hidden Risk in Your Software Supply Chain | 9 |
Vulnerabilities found in a given technology or package type | 10 |
Most common types of vulnerabilities in 2023 | 11 |
Severity of the vulnerabilities being introduced into your SSC | 13 |
Most dangerous malicious packages | 15 |
Some malicious packages are worse than others | 15 |
Other sources of risk hiding in your code | 16 |
Key takeaways | 18 |
How Organizations are Applying Security Efforts Today | 19 |
Where and when organizations perform security scans | 20 |
Types of scans they perform and the tools they're leveraging | 22 |
How much time security efforts are costing your organization | 24 |
Key takeaways | 26 |
The Influx of AI | 27 |
Key takeaways | 30 |
Methodology | 31 |
JFrog platform usage data | 31 |
Analysis by the JFrog Security Research team | 32 |
Commissioned survey results | 32 |
About JFrog | 33 |
2024 JFrog Ltd. All rights reserved. | https://jfrog.com/ | 1 |
Introduction
As a software security-focused company with a dedicated security research organization and 15+ years supporting developer and security teams, JFrog knows that managing and securing the entire software supply chain is foundational for delivering trusted software releases. But with an expanding open-source ecosystem and an ever-growing toolset to pull into your software supply chain, can your DevSecOps processes keep pace with all the change?
This report combines JFrog usage data from millions of users, CVE analysis by the JFrog Security Research team, and commissioned third-party polling data from 1,224 Security, Development, and Ops professionals to answer that all-important question. The resulting analysis provides context into the broad software supply chain landscape, reveals where risk resides, and shows you what it takes to secure your software supply chain and remain competitive in the industry. We welcome any feedback, which can be shared at data_report@jfrog.com.
2024 JFrog Ltd. All rights reserved. | https://jfrog.com/ | 2 |
Executive Brief
The complexity of the software supply chain has the potential to expose your organization to greater risk than ever before. Leaders who can choose the right tools, processes, and practices for their organizations will be able to harness the power of the most diverse software supply chain we've seen yet, and in turn, solidify their security posture and secure their competitive advantage.
Your Software Supply Chain is
Exploding
The growing amount of open-source components available is creating an increasingly vast software supply chain (SSC) to contend with.
- About half of organizations (53%) utilize 4-9 programming languages, while a substantial 31% use more than 10 languages.
- Docker and npm were the most-contributed to package types. PyPI contribution also increased, likely driven by AI/ML use cases.
- The most popular technologies used in production- ready software are Maven, npm, Docker, PyPI, Go, Nuget, Conan (C / C++), Helm.
Where to Focus Your Software
Supply Chain Security Efforts
A security mindset has finally hit the mainstream, but disjointed security approaches are costing development teams about a quarter of working time each month.
- 89% of Security, Development and Ops respondents say that their organization has adopted a security framework such as OpenSSF or SLSA.
- A third of organizations (33%) use 10 or more application security tools, with nearly half (47%) using between 4-9 tools.
- 60% of professionals say their team typically spends 4 days or more remediating application vulnerabilities in a given month.
Where Risk is Hiding
(It Might Not Be Where You Think)
While risk lies beyond the open-source community, not all reported vulnerabilities are worth spending time remediating.
- In 2023, security researchers globally disclosed over 26,000 new CVEs, continuing the trend of YoY growth in the number of vulnerabilities.
- 74% of the CVEs with High and Critical CVSS scores on the top 100 DockerHub community images aren't actually exploitable.
- Human error and exposed secrets account for a notable portion of the potential risk in your software supply chain.
2024 JFrog Ltd. All rights reserved.
AI/ML Demands Our Attention
- 94% say their organization applies measures to review the security and compliance of open-source machine learning models.
- While 90% say their organization uses AI/ML to aid in security efforts, individual contributors are more likely than execs to say they don't but should.
- Nearly 1 in 5 say their organization doesn't allow AI/ ML assistance in code creation due to security and compliance concerns.
https://jfrog.com/ 3
What's in Your Software Supply Chain?
The modern software supply chain is multi-tech,multi-sourced, and multinational, with a significant portion of organizations using more than 10 programming languages. The most popular package technologies used in creating production-readysoftware are familiar year over year, with young languages such as Rust remaining relatively low in usage compared to more tenured languages. There was little change when looking at JFrog data, but others such as theTIOBE Indexsaw Rust growth slow down between 2023 and 2024, dropping in place from number 18 to number 19.
The variety of open-source packages and libraries available for use when creating applications is booming. But that explosion is creating a whole world of potential risk for organizations, as we'll explore further on in this report.
2024 JFrog Ltd. All rights reserved. | https://jfrog.com/ | 4 |
Number of programming languages used in development organizations
All organizations | 16% | 53% | 31% | |||||||
Organization size | 1-3 | 4-9 | 10+ | |||||||
Less than | ||||||||||
29% | 48% | 23% | ||||||||
2,000 employees | ||||||||||
-38% | +23% | - | ||||||||
2,000-4,999 | ||||||||||
18% | 59% | 23% | ||||||||
employees | ||||||||||
-50% | -12% | +70% | ||||||||
More than | ||||||||||
9% | 52% | 39% | ||||||||
5,000 employees | ||||||||||
1-3 | 4-9 | 10+ |
Figure 1. How many programming languages do you use in your software
Development Organization? (Commissioned survey, 2023)
1-3 languages
4-9 languages
10+ languages
>5,000 Employees | <5,000 Employees | ||
53% | 31% | 39% | 23% |
4-9 languages | 10+ languages | 10+ languages | 10+ languages |
More than half of respondents (53%) say their software development organization uses between 4 to 9 programming languages, and nearly a third (31%) say they use 10 or more programming languages.
As expected, organizations greater than 5,000 employees are significantly more likely to use more than 10 programming languages (39% versus 23%).
2024 JFrog Ltd. All rights reserved. | https://jfrog.com/ | 5 |
New packages per year per package type
2023 | 2022 | 2021 | |||||||||||||||||
Package manager | Number of new packages | ||||||||||||||||||
1,516,558 | |||||||||||||||||||
270,310 | |||||||||||||||||||
Docker Hub | |||||||||||||||||||
10,396 | |||||||||||||||||||
1,516,558 | |||||||||||||||||||
1,389,350 | |||||||||||||||||||
433,627 | |||||||||||||||||||
npm | 362,295 | ||||||||||||||||||
239,594 | |||||||||||||||||||
224,425 | |||||||||||||||||||
Go | 317,457 | ||||||||||||||||||
103,112 | |||||||||||||||||||
PyPI | |||||||||||||||||||
79,988 | |||||||||||||||||||
70,216 | |||||||||||||||||||
74,825 | |||||||||||||||||||
63,057 | |||||||||||||||||||
Maven Central | 77,842 | ||||||||||||||||||
59,794 | |||||||||||||||||||
135,133 | |||||||||||||||||||
Nuget | |||||||||||||||||||
62,959 | |||||||||||||||||||
27,280 | |||||||||||||||||||
25,256 | |||||||||||||||||||
PHP Packagist | 29,224 | ||||||||||||||||||
5,435 | |||||||||||||||||||
5,556 | |||||||||||||||||||
Ruby Gems | 7,024 | ||||||||||||||||||
Figure 2. Number of new packages per year, displayed by package type
(Artifactory database, 2023)
Docker and npm were the most-contributed to package types based on JFrog Catalog data examining public registries, and data shows increasing interest in PyPI as well, likely buoyed by AI/ML use cases. We can see a significant spike in new npm and DockerHub packages in 2023 compared to 2022. In the case of DockerHub, this spike is consistent with the growth rate from previous years (e.g. 2021 ~10K, 2022 ~220K, 2023 ~1.5M). However, the spike for npm wasn't consistent with growth from previous years (e.g. 2021 ~362K, 2022 ~433K, 2023 ~ 1.3M). Interestingly enough, the rise in npm can be explained in part by the fact that nearly half of all new packages that were submitted to npm (as of March 2023) were SEO spam. This further highlights that attackers are still very keen to use npm as an attack platform.
In general, the amount of packages available is constantly growing, which creates an increasingly vast software supply chain to contend with. Spam, malicious packages, and related risks are a natural component in new packages and libraries, and the great pace of new versions being introduced takes a significant amount of effort to properly
manage. In essence, all of the YoY volatility we're seeing, coupled with the increasing usage of open source packages, means the effort required to manage and secure what's coming into your organization from the open source ecosystem will also increase without proper support.
2024 JFrog Ltd. All rights reserved. | https://jfrog.com/ | 6 |
Top technologies
Package Type
npm Maven Docker PyPI Go Nuget Conan Helm Gradle Gems Debian
YUM
Sbt
Composer
Ivy
Terraform
Pub
P2
Conda
Alpine
Cocoapods
Chef
Swift
Cargo
Bower
Cran
VCS
Opkg
Puppet
Huggingfaceml
Vagrant
Action Count
(Uploads/Downloads)
4,230,979,138
2,413,056,687
729,414,900
283,195,757
199,033,047
155,785,015
76,374,261
38,498,269
26,109,716
24,994,625
21,776,803
15,016,540
9,217,914
6,274,968
2,835,334
2,664,448
1,722,285
1,155,385
926,421
827,331
434,791
352,672
222,561
155,600
100,061
77,303
49,763
23,472
17,744
235
211
Number of
Repositories
41,475
86,892
78,092
13,704
11,985
14,792
3,416
25,632
7,914
2,708
13,848
11,447
2,040
1,925
2,050
1,645
497
320
1,378
1,267
1,446
1,340
543
991
1,049
1,688
177
753
1,276
88
929
Artifacts
184,231,166
707,159,728
474,179,862
24,581,414
24,729,953
33,644,631
80,157,110
6,383,947
14,945,210
7,805,418
6,220,508
13,773,040
3,114,418
1,996,541
15,713,220
190,116
34,867
59,777
543,401
22,648
749,900
50,465
311,741
247,529
25,137
72,929
918
62,427
6,911
1,284
6,953
As the chart shows, JFrog supports over 30 different technology types natively, but the most used technologies in production-ready software are the names you expect: Maven, npm, Docker, PyPI, Go, Nuget, Conan (C / C++), and Helm. Based on upload/download actions, number of repos, and total size of artifacts stored, it's clear that development organizations prioritize these technologies far above the rest.
Interestingly, specific verticals tend to see usage of common technologies to solve similar use cases, such as:
- Automotive and IoT companies leverage Maven (back-end apps), npm (front-end apps), Docker, PyPI (for AI/ ML), and often bundle many of these together into generic packages (tar/zip images).
- Robotics and AI/MLOps companies leverage PyPI, ML models either pulled from public sites like Hugging Face and Tensorflow, while also storing these models in containers or generic packages (tar/zips), although we are starting to see them adopt a native repo like Hugging Face for their models.
- Insurance, financial, and retail institutions leverage a combination of technologies like Maven, npm, and Docker, but with the increase in AI/ ML even these companies are starting to leverage PyPI and ML models to provide more enhanced offerings to maintain a competitive edge.
Figure 3. Technologies used, plus action counts, number of repos, and total size of artifacts stored for each (Artifactory database, 2023)
2024 JFrog Ltd. All rights reserved.
https://jfrog.com/ 7
Key takeaways
A rise in AI development
While Hugging Face usage in JFrog is in its early days, it's exciting to see organizations taking an important step of bringing ML model development into their secure software supply chain by managing models alongside all their other software artifacts in the JFrog Platform. Our data indicates a steady increase in PyPI and Conan package usage, popular technologies for building new ML models.
The old guard continues to stand strong
As much excitement and interest as there is around technologies like Rust, the top technologies organizations use to create production-ready software haven't changed significantly from year to year. The ecosystem surrounding the likes of Java, Python, JavaScript, etc. is likely so strong and ingrained that organizations feel comfortable sticking with the technologies they know work. It'll likely be some time before we see these younger languages gain a real foothold in large enterprises.
Vast range of languages and package types are being used
Development organizations can and should take advantage of the programming languages best suited to the needs of their project. However, every additional programming language or package type creates an additional threat vector and another layer of complexity to manage, from both a DevOps and security perspective. For large companies especially, managing the secure use of 10+ technologies can be a nightmare without the right tools and processes in place.
2024 JFrog Ltd. All rights reserved.
Containerization has hit the mainstream
- what's next?
At this point, the prevalent usage of Docker, OCI, and Helm repositories is a clear indication that containerization has been widely adopted in production software assets. Now that organizations are comfortable with containers and moving to dynamic runtimes such as Kubernetes, some forward looking technologists are beginning
to promote deploying Web Assembly (WASM) applications, which offer some unique benefits over containers in specific use cases.
https://jfrog.com/ 8
The Hidden Risk in Your Software Supply Chain
According to a new forecast by Gartner, global end-user spending on security and risk management is projected to total $215 billion in 2024, up 14.3% from 2023. Hackers know that open source packages, and the developers who use them, are the golden ticket to security breaches. They tend to strike either by exploiting weaknesses introduced through CVEs (typically unintentional flaws by open source developers) or introducing their own malicious packages masquerading as safe open- source components.
The challenge for organizations to manage risk in their software supply chain is four-fold:
1
3
There are tens of thousands of new CVEs a year, with the number growing higher YoY
Not every CVE is applicable to your software, nor as serious as may be originally stated
2
4
Increasing amounts of malicious packages
Run-of-the-mill human error during coding can expose your org to risk
2024 JFrog Ltd. All rights reserved. | https://jfrog.com/ | 9 |
Attachments
- Original Link
- Original Document
- Permalink
Disclaimer
JFrog Ltd. published this content on 19 March 2024 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 19 March 2024 08:18:01 UTC.