According to a new report, significant security risks exist from the widespread use of open-source software within modern application development.
Snyk and The Linux Foundation released the results of their first joint research report, The State of Open Source Security, showing that many organizations lack strategies to address application vulnerabilities that result from code reuse.
The report also reveals how many organizations are ill-prepared to manage these risks effectively. Specifically, the report found:
More than four in ten (41%) organizations are not confident in their open-source software security. The average application development project has 49 vulnerabilities and 80 direct dependencies (open-source code called by a project). The time it takes to fix vulnerabilities in open-source projects has steadily increased, doubling from 49 days in 2018 to 110 days in 2021.
“Software developers today have their supply chains – instead of assembling auto parts, they assemble code by patching existing open source components with their unique code. While this leads to increased productivity and innovation, it poses significant security concerns. Led.” said Matt Jarvis, director, Developer Relations, Snyk.
“This first-of-its-kind report found widespread evidence suggesting industry naivety about the current state of open source security,” he says.
“Together with The Linux Foundation, we plan to use these findings to educate further and equip the world’s developers to keep building fast while staying secure.”
“While open source software undoubtedly makes developers more efficient and accelerates innovation, the way modern applications are assembled also makes them harder to secure,” added Brian Behlendorf, general manager of Open Source Security Foundation (OpenSSH).
“This research clearly shows that the risk is real, and the industry needs to work even more closely to move away from the poor open source or software supply chain security practices.”
Using open source requires a new way of thinking about develop sets that many organizations have not yet adopted. According to the report, modern application development teams are using code from various places. They reuse code from other applications they’ve built and search code repositories to find open-source components that provide the functionality they need.
The report found that less than half (49%) of organizations have security policies in place for the development or use of OSS (and this number is only 27% for medium to large companies), and three in ten (30%) organizations with no open source security policies openly acknowledge that no one on their team is currently directly involved in open source security. When developers include an open-source component in their applications, they become directly dependent on that component and are at risk if it contains vulnerabilities. The report shows how real this risk is, with dozens of vulnerabilities discovered in many direct dependencies in each application evaluated.
Indirect or transitive dependencies, the dependencies of your dependencies, also exacerbate this risk. Many developers are unaware of these dependencies, making them even more difficult to track and secure.
That said, survey respondents are, to some extent, aware of the security complexities created by open source in the software supply chain today:
More than a quarter of respondents said they were concerned about the security impact of their direct dependencies; Only 18% of respondents said they are sure of the controls they have for their transitive dependencies; and, Forty percent of all vulnerabilities were found in transitive dependencies.
As application development has become more complex, the security challenges development teams face have become more difficult. The report found that fixing vulnerabilities in open-source projects takes nearly 20% longer (18.75%) than in proprietary projects. While this makes development more efficient, using open-sourceware increases the cleanup burden.
