When you purchase through links on our site, we may earn an affiliate commission. Here’s how it works.

Open-Source code is unsafe and risky because of its rampant use, claims report

Neowin · · Hot! with 9 comments

Open-source software has been increasingly popular among developers and tech companies. However, the unrestricted deployment of open-source code is steadily becoming a security risk, claims a new report titled “The State of Open-Source Security”.

The research from developer security firm Snyk and the Linux Foundation claims more than a third of the organizations don't have high confidence in their open-source software security. Speaking about the report, Matt Jarvis, director of developer relations at Snyk said:

Software developers today have their own supply chains -- instead of assembling car parts, they are assembling code by patching together existing open-source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security concerns.

This first-of-its-kind report found widespread evidence suggesting industry naivete about the state of open-source security today. Together with The Linux Foundation, we plan to leverage these findings to further educate and equip the world’s developers, empowering them to continue to build fast, while also staying secure.

The research claims an average application development project has 49 vulnerabilities and 80 direct dependencies. Moreover, the time it takes to fix vulnerabilities in open-source projects has steadily increased. Back in 2018, it took on average 49 days to fix a security vulnerability. In 2021, it takes about 110 days to develop a patch.

The report says that only 49% of organizations have a security policy for open-source software development or usage. And, this number is a mere 27% for medium-to-large companies. Around 30% of organizations even admitted that no one in their team is directly responsible, or even addressing, open-source security. Incidentally, these companies did not have a dedicated open-source security policy.

The report is based on a survey of over 550 respondents in the first quarter of 2022 as well as data from Snyk Open Source, which involves the scrutiny of more than 1.3 billion open-source projects.

Report a problem with article
An illustration showing people working on developing the Edge browser version 104
Next Article

Final Edge Dev 104 build makes toggling between light and dark theme smoother

A person typing on a keyboard in a dark room
Previous Article

Permiso's cyber security increased with new cloud detection service

Join the conversation!

Login or Sign Up to read and post a comment.

9 Comments - Add comment