Popularity of open source software leads to security risks
The widespread use of open source software within modern application development leads to significant security risks, according to a new report.
The average application development project has 49 vulnerabilities and 80 direct dependencies (open source code called by a project). Plus, the time it takes to fix vulnerabilities in open source projects has steadily increased, more than doubling from 49 days in 2018 to 110 days in 2021.
"Software developers today have their own supply chains -- instead of assembling car parts, they are assembling code by patching together existing open source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security concerns," says Matt Jarvis, director, developer relations at Snyk. "This first-of-its-kind report found widespread evidence suggesting industry naivete about the state of open source security today. Together with The Linux Foundation, we plan to leverage these findings to further educate and equip the world’s developers, empowering them to continue to build fast, while also staying secure."
Among other findings, only 49 percent of organizations have a security policy for OSS development or usage (and this number is a mere 27 percent for medium-to-large companies). While 30 percent of organizations without an open source security policy openly recognize that no one on their team is directly addressing open source security.
The complexity of the supply chain is also an issue, over a quarter of survey respondents note they are concerned about the security impact of their direct dependencies. Only 18 percent say they are confident of the controls they have in place for these and 40 percent of all vulnerabilities were found in transitive dependencies.