The report comes at a time when both information security experts and government officials are concerned about the security of open source software. Open source vulnerabilities such as Log4j and the 2017 Apache Struts case linked to the Equifax breach demonstrate the ongoing threat posed when millions of applications are vulnerable to these flaws. Even the most inexperienced and unsophisticated hackers can exploit these flaws to steal or manipulate sensitive data.
“Open source has changed the way developers work, and has brought more efficiency, innovation and speed in the way modern applications are made,” Matt Jarvis, director of developer relations at Snyk, said via email. “This ubiquity has also made it a target, as attackers have realized that the open source supply chain may be easier to exploit than directly looking for vulnerabilities in end user applications.”
According to Jarvis, the increased time it takes to find open source vulnerabilities reflects another set of challenges. Every year, developers create more software, which forces organisations to focus on critical vulnerabilities. This may leave less serious vulnerabilities unpatched and available for exploitation.
According to Forrester’s senior analyst Janet Worthington, two-thirds of respondents estimated their organisations had been breached at least once in the previous 12 months in a 2021 study. According to Worthington, more than one-third of respondents said the compromise was caused by an external attack, and the leading factor was a software vulnerability exploit, which beat out phishing, social engineering, and web application exploits.
“Not having a strong open source security policy is a problem when you look at how attackers are compromising organizations,” Worthington said.
Aside from developing specific open source security policies, businesses can take steps to search for software vulnerabilities. According to Manjunath Bhat, VP analyst at Gartner, organisations are increasingly using trusted component registries and software composition analysis tools to protect the integrity of open source.
According to Jarvis, the Snyk-Linux Foundation study was based on responses from over 500 organisations ranging from small businesses to medium-to-large enterprises. The report also made use of data from Snyk Open Source, which scans approximately 1.3 billion open source projects.