According to a survey conducted by Snyk and the Linux Foundation and published today, less than half of respondents (49%) work for organisations that have security policies in place for the use or development of open source software. Snyk, a provider of software security tools, and the Linux Foundation conducted the survey, which polled 550 software development professionals. Just under a third (30%) of those without policies admitted that no one on their team is currently directly addressing open source security. 41 percent said they were not confident in the security of their open source software. Despite this, 59 percent of respondents said the open source software they used was somewhat or extremely secure.
According to Matt Jarvis, Snyk’s director of developer relations, many organisations are unaware of the extent to which open source software is now being targeted by cybercriminals looking to sneak malware into widely used software projects. Those same organisations, he added, lacked clarity about how open source software is built. According to Jarvis, the open source software community has become a victim of its own success in many ways.
The average application development project has 49 vulnerabilities and 80 direct dependencies on open source software, according to the survey. Only 18% of respondents said they are confident in the transitive dependency controls they have in place. A whopping 40% of all vulnerabilities discovered were in transitive dependencies. According to the survey, only one-third of respondents (33%) use static application security testing (SAST) tools within a continuous integration process or software composition analysis (SCA) tools to discover vulnerabilities. In total, 44 percent said they use a tool to analyse source code.
In terms of additional capabilities, 59 percent want more intelligence added to these tools, while 52 percent want more clearly defined cybersecurity best practises. Almost half (49%) also desired more automation and tools for conducting security audits. According to the survey, fixing vulnerabilities in open source projects takes 19% longer than in proprietary projects. Eighty percent of organisations with security policies delegated responsibility to the security team. According to the survey, only 40% of organisations without such policies did the same.
The Open Source Security Foundation (OpenSSF), a division of the Linux Foundation, is focusing on ten investment streams that would require more than $150 million in funding to drive greater adoption of DevSecOps best practises among open source software project maintainers. Open source software is now routinely reused by developers. The problem is that many of those projects are maintained by a small group of programmers who volunteer their time and effort to create components that others can freely use. Those individuals, like any other developer, have limited security expertise. The organisations that decide to deploy the software bear the responsibility for ensuring the security of the projects and software.
Unfortunately, many IT vendors and large enterprise IT organisations reuse that code without contributing anything meaningful to the project, whether in terms of funding or assisting open source maintainers in finding and fixing vulnerabilities. Hopefully, the level of open source security will steadily improve in the coming months as a result of an executive order issued by the Biden administration.