Open source supply chain faces security issues

The open source software supply chain shows signs of 'AppSec exhaustion,' with organizations showing diminished engagement in security practices and struggling to meet vulnerability management goals, according to a new report.

The study from Snyk, based on a survey of 453 professionals across application development and security, shows that open-source security is more important than ever, as hackers have recognized the efficiency of targeting open-source software as a single entry point to multiple orgs.

But despite how important these issues have become, organizations have dedicated less tooling and training resources to supply chain vulnerabilities compared to 2023.

The number of respondents saying they had invested in additional security tooling specifically in response to supply chain or open source vulnerabilities fell from 60.9 percent to 49.6 percent year-on-year, while respondents indicating their organizations had invested in additional security training in response to supply chain or open source vulnerabilities plummeted from 53.2 percent to 35.4 percent.

Despite 74 percent of organizations setting SLAs of a week or less for high-severity vulnerabilities, 52 percent say they regularly fail to meet these targets, with 14.8 percent reporting frequent failures.

There's a disconnect between perceived and actual AI security too, while 77.9 percent believe AI has improved code security (up from 76.5 percent last year), only 56.1 percent express concern about AI-introduced vulnerabilities, even as research shows frequent and serious security flaws in AI-generated code.

The report suggests that organizations are failing to equip their teams with the skills to combat more sophisticated threats too, with a 17.8 percent year-on-year decrease in supply chain vulnerability training for development teams.

The report's authors conclude, "These findings suggest that the industry must find new ways to balance security requirements with team capacity while maintaining vigilance against emerging threats, including those potentially introduced by overreliance on AI tools. Without addressing these challenges and adjusting attitudes toward AI-generated code security, organizations risk falling further behind in their security posture as threats continue to evolve."

The full 2024 State of Open Source Security Report is available from the Snyk site.

Image credit: YAYImages/depositphotos.com