The developer security company, Snyk and global nonprofit organization, The Linux Foundation shared the results of their first joint research, The State of Open Source Security. The report provides detailed information about the security risks caused by the usage of open-source software within modern application development. The report also shows how many organizations are not prepared to manage risks.
Code reuse
Snyk’s report shows that 41% of organizations don’t have high confidence in open-source software security. While modern applications are using codes from all sorts of places, reuse code from other applications requires a new way of thinking about developer security.
- Less than half (49%) of organizations have a security policy for OSS development or usage (and this number is a mere 27% for medium-to-large companies); and,
- Three in ten (30%) organizations without an open-source security policy openly recognize that no one on their team is currently directly addressing open-source security.
Organizations using open-source components become dependent on the component and they are at risk if it contains vulnerabilities. The report evaluates dozens of vulnerabilities discovered across many direct dependencies in applications. Survey respondents are aware of the security complexities created by open source in the software supply chain today:
- Over one-quarter of survey respondents noted they are concerned about the security impact of their direct dependencies;
- Only 18% of respondents said they are confident of the controls they have in place for their transitive dependencies; and,
- Forty percent of all vulnerabilities were found in transitive dependencies.
While application development becoming more complex, the security challenges are also becoming increasingly complex. The report found that fixing vulnerabilities in open source projects takes 18.75% longer than in proprietary projects. While it was only 49 days in 2018, in 2021 it was increased to 110 days to fix a vulnerability.