According to new Linux Foundation research, more than two-fifths (41 percent) of organisations lack confidence in their open source security, with only 49 percent claiming to have a policy in place. The State of Open Source Security report, co-sponsored by Snyk, was compiled from interviews with 550 open source stakeholders and Snyk’s technology, which scanned over 1.3 billion open source projects.
The use of open source repositories to accelerate time-to-market is common among developers, but it can expose organisations to hidden risks if these components contain malware or vulnerabilities. Given the sometimes complex set of dependencies between components, these risks can be difficult to find and remediate once such components are used. According to the report, the average application development project has 49 vulnerabilities spread across 80 direct dependencies.
However, these difficulties are frequently exacerbated by the presence of indirect dependencies. According to the report, these transitive dependencies contained 40% of all vulnerabilities. Worryingly, only 18 percent of respondents said they are confident in the transitive dependencies controls they have in place, and only a quarter are concerned about the security impact of their direct dependencies.
According to the report, open source teams are struggling to meet an increasing demand to find and patch these bugs: the time required to fix open source vulnerabilities is nearly 20% longer than in proprietary projects. It increased in length from 49 days in 2018 to 110 days last year. This could be due to a lack of personnel: According to 30% of organisations that do not have an open source security policy, no one on their team is currently addressing open source security directly.
“While open source software undoubtedly makes developers more efficient and accelerates innovation, the way modern applications are assembled also makes them more challenging to secure,” said Brian Behlendorf, general manager of the Open Source Security Foundation (OpenSSF).
“This research clearly shows the risk is real, and the industry must work even more closely together in order to move away from poor open source or software supply chain security practices.”
In May, community leaders gathered in Washington to outline a 10-point plan for improving the security of the open source software supply chain.