A small study has revealed that almost half of respondents were unaware of, and not managing evolving open source risks.
Based on a survey of 550 respondents in Q1 2022, as well as data from open source projects, 41% of respondents did not have high confidence in the security of their open source software, and the time taken to fix vulnerabilities in such projects had increased from 49 days (2018) to 110 days (2021).
In addition, data indicates the average application development project among respondents now had 49 vulnerabilities and 80 direct dependencies (open source code called by a project).
Other findings include:
- 49% of respondents had a security policy for OSS development or usage (27% for medium-to-large firms)
- 30% of organizations in the survey that did not have an open source security policy recognized that no one on their team was currently directly addressing open source security.
- Over 25% of respondents indicated they were concerned about the security impact of their direct dependencies
- 18% of respondents indicated they were confident of the controls they had in place for their transitive dependencies
- 40% all vulnerabilities found in respondents’ open source projects were found in transitive dependencies.
- Respondents indicated that fixing vulnerabilities in open source projects took almost 18.75% than in proprietary projects.
The results are a snapshot of the level of security risks resulting from the widespread use of open source software within modern application development, as well as a gauge of how many of the organizations polled were ill-prepared to effectively manage these risks.
According to Matt Jarvis, Director, Developer Relations, Snyk, which commissioned the joint research with The Linux Foundation, with support from the Open Source Security Foundation (OpenSSF), the Cloud Native Security Foundation, the Continuous Delivery Foundation and the Eclipse Foundation: “Software developers today have their own supply chains: they are assembling code by patching together existing open source components with their own (coding). While this leads to increased productivity and innovation, it has also created significant security concerns. This first-of-a-kind report has found widespread evidence suggesting industry naiveté about the state of open source security today. Together with The Linux Foundation, we plan to leverage these findings to further educate and equip the world’s developers, empowering them to continue building fast, while also staying secure.”
Open source risk factors
While open source software undoubtedly accelerates innovation and improves developer efficiencies, the way modern applications are assembled also makes them more challenging to secure, said Brian Behlendorf, General Manager, OpenSSF: “This research clearly shows the risk is real, and the industry must work even more closely together in order to move away from poor open source or software supply chain security practices.”
Some of the risk factors:
- Increasing leverage of code from all sorts of places; and increased reuse of code from old applications and code repositories. This way of finding and using possibly outdated or vulnerability-laden open source code today requires a new way of thinking about developer security that many organizations have not yet adopted.
- When developers incorporate an open source component in their applications, they immediately become dependent on that component and are at risk if that component contains vulnerabilities. Dozens of vulnerabilities were discovered across many direct dependencies in each application evaluated in the survey.
Finally, the risks of open source are compounded by indirect, or transitive, dependencies, which are the dependencies of dependencies. Many developers do not even know about these dependencies, making the risks beneath such linked code even more challenging to track and secure.