Open-source software has been increasingly popular among developers and tech companies. However, the unrestricted deployment of open-source code is steadily becoming a security risk, claims a new report titled “The State of Open-Source Security”.
The research from developer security firm Snyk and the Linux Foundation claims more than a third of the organizations don't have high confidence in their open-source software security. Speaking about the report, Matt Jarvis, director of developer relations at Snyk said:
Software developers today have their own supply chains -- instead of assembling car parts, they are assembling code by patching together existing open-source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security concerns.
This first-of-its-kind report found widespread evidence suggesting industry naivete about the state of open-source security today. Together with The Linux Foundation, we plan to leverage these findings to further educate and equip the world’s developers, empowering them to continue to build fast, while also staying secure.
The research claims an average application development project has 49 vulnerabilities and 80 direct dependencies. Moreover, the time it takes to fix vulnerabilities in open-source projects has steadily increased. Back in 2018, it took on average 49 days to fix a security vulnerability. In 2021, it takes about 110 days to develop a patch.
The report says that only 49% of organizations have a security policy for open-source software development or usage. And, this number is a mere 27% for medium-to-large companies. Around 30% of organizations even admitted that no one in their team is directly responsible, or even addressing, open-source security. Incidentally, these companies did not have a dedicated open-source security policy.
The report is based on a survey of over 550 respondents in the first quarter of 2022 as well as data from Snyk Open Source, which involves the scrutiny of more than 1.3 billion open-source projects.