“If developers better understood what suppliers (projects) they were using and focused on only using the best kind — and recognizing that they’re not all equal – it would be a huge step toward forward,” said Weeks.
Weeks also adds Median Time to Update (MTTU) can be a critical metric when deciding what component to use. “Rapid MTTU is associated with lower security risk and is also more accessible from public sources than other metics enterprises might want to rely upon such as vulnerability data,” he said. Open-source project maintainers can also use MTTU to help enterprise ensure security. “Developers maintaining OSS projects who are considering adding a new dependency, and looking for a metric to guide that choice, would do well to focus on those dependencies with fast MTTU. Since remediating a vulnerable dependency typically involves upgrading to a new dependency version, components with fast MTTU values naturally exhibit faster response to dependency vulnerabilities,” Weeks explained.
Another key finding of the report revealed velocity shouldn’t and doesn’t have to come at the cost of security. “We found that exemplary open source project initiatives benefit tremendously from higher code commits, release frequencies, and to some extent larger development teams,” said Weeks.
Other findings of the report include a 68 percent year over year growth in download requests of Java components; 21,448 new open-source releases are available to developer every day; and a 55 percent reduction in the use of vulnerable open-source components from top enterprise development teams.
“I think it’s important for developers to understand that secure coding practices can actually speed up their process and increase innovation. In order to survive and thrive in today’s application economy the best development teams are actively embracing open source innovation, dependency management practices, and automated tooling for open source governance,” said Weeks.