Open source security is fast becoming a major concern
Widespread use of open source software (OSS) within modern application development poses a “significant security risk”, suggests new research.
According to a new report from cyber security company Snyk, with Linux (opens in new tab) Foundations, today’s organizations are less prepared to deal with these risks.
Based on a survey of more than 550 respondents, as well as data extracted from 1.3 billion open source projects via Snyk Open Source, the report states that two in five (41%) firms protect their open source code. I am not sure.
Vulnerabilities in open source code
It was found that the average application development project has 49 vulnerabilities, as well as 80 direct dependencies. Normally, it now takes 110 days to fix a vulnerability in an open source project, up from 49 days four years ago.
“Software developers today have their own supply chains – instead of assembling car parts, they are assembling code by patching together existing open source components with their unique code. While this increases productivity and innovation This has also created significant security concerns,” said Matt Jarvis, director, developer relations, Snyk.
Jarvis said there’s a certain “naive” to the industry’s approach to open-source software, which can open the door to all kinds of malware, ransomware and other attacks.
For example, less than half (49%) have a security policy for OSS development or use, falling to 27% among medium- and large-sized companies. Furthermore, less than a third (30%) of organizations without an open-source security policy are aware of the fact that at the moment no one is addressing the security of open-source software.
But few respondents are aware of the security challenges posed by open source software in the supply chain. A quarter said they were concerned about the security implications of their reliance on OSS, and only 18% said they were confident in the controls established for their transitive dependency, where 40% of all vulnerabilities were found.