Skip to main content

Open source cyberattacks see huge rise

(Image credit: Image Credit: Wright Studio / Shutterstock)

“Next-generation” cyberattacks against open source (opens in new tab) software supply chains are spiking “massively”, according to a new report from Sonatype.

In its sixth annual State of the Software Supply Chain report, the company claims to have recorded a 430 percent surge in these types of attacks. In plain numbers, the firm recorded 929 attacks from July 2019 to May 2020, up from 216 in the four years prior.

“Next generation” software supply chain attacks differ from legacy attacks in that they target and compromise upstream open source projects, and then wait until they flow downstream and into the wild in order to exploit them.

Sonatype cites Octopus Scanner and electron-native-notify as examples of "strategic" next generation attacks.

Businesses, for their part, must improve upon their ability to diagnose issues. Almost half (47 percent) take up to a week to identify new open source vulnerabilities (opens in new tab), while an even greater proportion (51 percent) take more than a week to fix them.

The highest performing development teams, meanwhile, were found to be 26 times faster at detecting and remediating open source vulnerabilities than their peers.

These top tier teams are 59 percent more likely to use automation to detect and remediate known vulnerabilities, 51 percent more likely to centrally maintain a software bill of materials (SBOMs) for applications, and a whopping 33 times more likely to be confident that OSS dependencies are secure.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.