Open source software has grown in popularity among developers and technology companies. However, according to a new report titled “The State of Open Source Security,” the unrestricted deployment of open source code is gradually becoming a security risk. According to research conducted by developer security firm Snyk and the Linux Foundation, more than a third of organisations lack confidence in the security of open source software. Snyk’s director of developer relations, Matt Jarvis, commented on the report:
“Software developers today have their own supply chains — instead of assembling car parts, they are assembling code by patching together existing open source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security concerns. This first-of-its-kind report found widespread evidence suggesting industry naivete about the state of open source security today. “
“Together with The Linux Foundation, we plan to leverage these findings to further educate and equip the world’s developers, empowering them to continue to build fast, while also staying secure.”
According to the study, the average application development project contains 49 vulnerabilities and 80 direct dependencies. Furthermore, the amount of time required to fix vulnerabilities in open source projects has steadily increased. In 2018, it took 49 days on average to fix a security vulnerability. A patch takes about 110 days to develop in 2021.
According to the report, only 49% of organisations have a security policy for open-source software development or use. This figure drops to just 27 percent for medium-to-large businesses. Approximately 30% of organisations admitted that no one on their team is directly responsible for, or even addresses, open source security. In addition, these businesses lacked an open source security policy.
The report is based on a survey of over 550 respondents conducted in the first quarter of 2022, as well as data from Snyk Open Source, which examines over 1.3 billion open source projects.