Security Concerns Result from Open Source Software Ubiquity
June 22, 2022
The results of The State of Open Source Security report detail the significant security risks resulting from the widespread use of open source software within modern application development as well as how many organizations are currently ill-prepared to effectively manage these risks.
Specifically, the report found:
Over four out of every ten (41%) organizations don’t have high confidence in their open source software security;
The average application development project has 49 vulnerabilities and 80 direct dependencies (open source code called by a project); and,
The time it takes to fix vulnerabilities in open source projects has steadily increased, more than doubling from 49 days in 2018 to 110 days in 2021.
“Software developers today have their own supply chains – instead of assembling
car parts, they are assembling code by patching together existing open source
components with their unique code. While this leads to increased productivity
and innovation, it has also created significant security concerns,” said Matt
Jarvis, Director, Developer Relations, Snyk. “This first-of-its-kind report
found widespread evidence suggesting industry naivete about the state of open
source security today. Together with The Linux Foundation, we plan to leverage
these findings to further educate and equip the world’s developers, empowering
them to continue building fast, while also staying secure.”
Modern application development teams are leveraging code from all sorts of places. They reuse code from other applications they’ve built and search code repositories to find open source components that provide the functionality they need. The use of open source requires a new way of thinking about developer security that many organizations have not yet adopted.
Three in ten (30%) organizations without an open source security policy openly recognize that no one on their team is currently directly addressing open source security.
Average Application Development Project: 49 Vulnerabilities Spanning 80 Direct Dependencies
When developers incorporate an open source component in their applications, they
immediately become dependent on that component and are at risk if that component
contains vulnerabilities. The report shows how real this risk is, with dozens of
vulnerabilities discovered across many direct dependencies in each application
Over one-quarter of survey respondents noted they are concerned about the security impact of their direct dependencies;
Only 18% of respondents said they are confident of the controls they have in place for their transitive dependencies; and,
Forty percent of all vulnerabilities were found in transitive dependencies.
Time to Fix: More Than Doubled from 49 Days in 2018 to 110 Days in 2021
As application development has increased in complexity, the security challenges faced by development teams have also become increasingly complex. While this makes development more efficient, the use of open source software adds to the remediation burden. The report found that fixing vulnerabilities in open source projects takes almost 20% longer (18.75%) than in proprietary projects.