Had a great time today at the CISO Sydney event.

I did a joint presentation Justin where we went though the stats in the 8th Annual State of Software Supply Chain Report and I provided my insights and perspective.

Some of the key findings from the report that I covered were:

  • The world downloaded 3.4 trillion open source packages in 2022. (That’s 1 trillion more than the previous year)
  • 1.2 billion vulnerable dependencies are downloaded each month
  • 6 out of every 7 project vulnerabilities come from transitive dependencies (This is very worrying to me and shows how we need to look at not just our third parties, but also the fourth and so forth)
  • 8 months after the Log4j incident, the vulnerable versions of Log4j still make up more than 35% of monthly downloads.
  • 96% of known-vulnerable open source downloads are avoidable
Log4j version downloads. The ones in red are vulnerable versions!

It’s time to secure our software supply chain.

The state of software supply chain report is available to download at https://www.sonatype.com/resources/2023-software-supply-chain-report

Apart from the presentations, the event was also a great opportunity to catch up with everyone and make new friends. If you haven’t attended a CISO Sydney event, I highly recommend it.

Below are some photos taken during my talk.