The Linux Foundation and developer security solutions provider Snyk have released the findings of their first collaborative research report, The State of Open Source Security. The findings highlight both the considerable security concerns brought on by the extensive usage of open source software in contemporary application development and how many businesses are now unprepared to manage these risks.
Specifically, the report published by Snyk and Linux Foundation found:
- 41 percent of firms have low confidence in the security of their open source software, which is more than four out of ten
- The typical application development project has 80 direct dependencies and 49 vulnerabilities (open source code called by a project)
- Open source project vulnerability repair times have been rising over time, more than doubling from 49 days in 2018 to 110 days in 2021
“Software developers today have their own supply chains – instead of assembling car parts, they are assembling code by patching together existing open source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security concerns,” said Matt Jarvis, Director, Developer Relations at Snyk. “This first-of-its-kind report found widespread evidence suggesting industry naivete about the state of open source security today. Together with The Linux Foundation, we plan to leverage these findings to further educate and equip the world’s developers, empowering them to continue building fast, while also staying secure.”
Open Source Software
“While open source software undoubtedly makes developers more efficient and accelerates innovation, the way modern applications are assembled also makes them more challenging to secure,” said Brian Behlendorf, General Manager, Open Source Security Foundation (OpenSSF). “This research clearly shows the risk is real, and the industry must work even more closely together in order to move away from poor open source or software supply chain security practices.”
To elaborate on the study’s findings:
41% of Organizations Don’t Have High Confidence in Open Source Security
Teams working on contemporary applications use code from a variety of sources. They recycle code from previously created applications and scour code repositories for open source components that offer the capabilities they require. Many firms have not yet accepted the new way of thinking about developer security that is necessary for the adoption of open source.
Further consider:
Less than half (49%) of organizations have a security policy for OSS development or usage (only 27% of medium- to large-sized businesses have one), and 30% of those without such a strategy openly admit that no one on their team is now directly tackling open source security.
49 Vulnerabilities Spanning 80 Direct Dependencies
When developers include an open source component in their apps, they instantly rely on that component and are vulnerable if it has security flaws. With scores of vulnerabilities found across numerous direct dependencies in each application examined, the research demonstrates how real this danger is.
Additionally increasing this danger are indirect dependencies, also known as transitive dependencies, which are the dependencies of your dependencies. These dependencies are harder to track and safeguard because many developers aren’t even aware of them.
However, poll participants are somewhat aware of the security challenges raised by open source in the current software supply chain:
- A quarter of poll participants said they are worried about how their direct dependencies may affect their security
- Only 18 percent of those surveyed claimed to be confidence in the controls they had in place for their transitive dependencies
- Transitive dependencies were found to be vulnerable in 40 percent of all cases
Time to Fix: More Than Doubled from 49 Days in 2018 to 110 Days in 2021
The security issues that development teams now face have grown in complexity along with the complexity of application development. The usage of open source software increases the burden of remediation even as it increases development efficiency. According to the study, it takes about 20 percent longer (18.75 percent) to resolve vulnerabilities in open source projects than in proprietary initiatives.
About the Study
With assistance from OpenSSF, the Cloud Native Security Foundation, the Continuous Delivery Foundation, and the Eclipse Foundation, The State of Open Source Security is a collaboration between Snyk and The Linux Foundation.
The analysis is based on data from Snyk Open Source, which has scanned more than 1.3 billion open source projects, as well as a survey of more than 550 respondents conducted in the first quarter of 2022.
