State of the Software Supply Chain 2021 (opens in new tab)

(sonatype.com)

15 pointslivealight4y ago13 comments

13 comments

"Vulnerabilities are more common in popular projects." - meaning more popular projects have more known issues, which seems kind of obvious.

Perhaps 'security by obscurity' has its parallel in 'vulnerability in popularity'.

While not a good security tactic in general, there is something to the fact that an obscure library will be less exploited.

stephen-magill4y ago

Yep. The question is whether the engineering trade-offs are worth it. Less-used libraries might have more undiscovered bugs that crop up in production and could have lower levels of support as well.

marcus_holmes4y ago

Or, y'know, think carefully before adding a dependency to your project, and add as few dependencies as possible.

livealightOP4y ago

insert obligatory node_modules joke here

phkahler4y ago

Interesting read. One thing seems to be missing, and that is any notion of participating in upstream development. In open source you don't have to just be a consumer, you can actively participate in the development of dependencies to varying degrees. They do point to people near the edge vs on the edge as having better practices, and I'd think that's because they at least follow and understand what's going on vs just using the latest. Following and understanding seems very close to participating, though they are different.

stephen-magill4y ago

This is something we studied in last year's report. Based on a survey similar to the one described in Chapter 4 we found that a mix of features measuring participation in the open source community was associated with positive security outcomes. It makes sense that if you follow the projects you're using closely then you would be more aware of security advisories and fixes for those projects. My favorite part was the term we used for this mix of features: Open Source Enlightenment :-)

nixpulvis4y ago

With so many irrelevant advisories, I'm not sure I can take much from this report TBH. Not to mention that I disagree about MTTU, a stat that is clearly skewed toward pencil pushers.

The more time you spend updating dependencies, the less time you spend actually coding things. Well, unless the updates actually give you new features, which is generally not what people are looking for when running an update for some reason.

livealightOP4y ago

Yeah oddly the outcome of MTTU is a maintained transitive tree seems to be a better indicator of security status than any other more complex framework. How to do it effectively is a matter on to itself

stephen-magill4y ago

This is exactly right. Low MTTU and keeping up-to-date across the transitive dependency tree makes it less likely that vulnerabilities creep in due to those transitive dependencies. I think there's also a certain aspect of "faster is better" akin to what we see in Forsgren et al's Accelerate / State of DevOps research. If you have the team structure, development discipline, and release infrastructure required to update dependencies frequently then that probably benefits other aspects of project quality as well.

1 more reply

makeitrain4y ago

To read this on a phone, you have to trick the content into loading by scrolling past it, then scrolling back up.

j / k navigate · click thread line to collapse

13 comments

timw4mail4y ago

"Vulnerabilities are more common in popular projects." - meaning more popular projects have more known issues, which seems kind of obvious.

Perhaps 'security by obscurity' has its parallel in 'vulnerability in popularity'.

While not a good security tactic in general, there is something to the fact that an obscure library will be less exploited.

stephen-magill4y ago

Yep. The question is whether the engineering trade-offs are worth it. Less-used libraries might have more undiscovered bugs that crop up in production and could have lower levels of support as well.

marcus_holmes4y ago

Or, y'know, think carefully before adding a dependency to your project, and add as few dependencies as possible.

livealightOP4y ago

insert obligatory node_modules joke here

phkahler4y ago

stephen-magill4y ago

nixpulvis4y ago

With so many irrelevant advisories, I'm not sure I can take much from this report TBH. Not to mention that I disagree about MTTU, a stat that is clearly skewed toward pencil pushers.

livealightOP4y ago

stephen-magill4y ago

1 more reply

makeitrain4y ago

To read this on a phone, you have to trick the content into loading by scrolling past it, then scrolling back up.

j / k navigate · click thread line to collapse