A Report Shows that Businesses Must Dramatically Improve their Open Source Software Security

IBL News | Austin, Texas

Many organizations are currently ill-prepared to effectively manage security risks resulting from the use of open source applications, according to new research from The Linux Foundations and Snyk, a leading company in developer security. Organizations also lack strategies to address application vulnerabilities arising from code reuse.

The report, titled The State of Open Source Security, was released today during the “Open Source Summit North America”, which will attract thousands of executives of the industry to a packed conference in Austin, Texas, this week [The report in PDF].

The study suggests industry naivete about the state of open source security today.

Specifically, the report — based on a survey of over 550 respondents and data scanned 1.3B open source projects — notes:

  • Over four out of every ten (41%) organizations don’t have high confidence in their open source software security.
  • Less than half (49%) of organizations have a security policy for OSS development or usage (and this number is a mere 27% for medium-to-large companies).
  • Three in ten (30%) organizations without an open source security policy openly recognize that no one on their team is directly addressing open source security.
  • The average application development project has 49 vulnerabilities and 80 direct dependencies (open source code called by a project).
  • The time it takes to fix vulnerabilities in open source projects has steadily increased, more than doubling from 49 days in 2018 to 110 days in 2021.
  • Forty percent of all vulnerabilities were found in transitive dependencies. Only 18% of respondents said they are confident of the controls they have in place for their transitive dependencies.

“While open source software undoubtedly makes developers more efficient and accelerates innovation, the way modern applications are assembled also makes them more challenging to secure,” said Brian Behlendorf, General Manager at Open Source Security Foundation (OpenSSF).

“Software developers today have their own supply chains – instead of assembling car parts, they are assembling code by patching together existing open source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security concerns,”
said Matt Jarvis, Director of Developer Relations at Snyk.

The goal of the report is to raise awareness and leverage these findings to further educate and equip developers, empowering them to continue to build fast, while staying secure.