The security of open source software remains a concern among developers who take longer to fix vulnerabilities, as they combine open source components with their own code when building applications, a global study finds.
According to The state of open source security According to a report by Snyk and The Linux Foundation, more than four in ten organizations surveyed have low confidence in open source software security, with the average application development project having 49 vulnerabilities and 80 direct dependencies.
The time it takes to fix vulnerabilities in open source projects has also increased, more than doubling from 49 days in 2018 to 110 days in 2021.
“Software developers today have their own supply chains – instead of assembling car parts, they assemble code by patching existing open source components together with their unique code. While this leads to increased productivity and innovation, it has also created major security concerns,” said Matt Jarvis, director of developer relations at Snyk.
“This first-of-its-kind report found widespread evidence suggesting industry naivety about the current state of open source security. Together with The Linux Foundation, we plan to use these findings to further educate and equip developers around the world to keep building fast while staying secure.”
Having open source software security policies is one of the ways organizations can mitigate security risks, but less than half (49%) of organizations have security policies for developing or using open source software.
In addition, about three in 10 organizations without open source security policies openly acknowledge that no one on their team is currently directly involved in open source security.
Many developers are also unaware of the dependencies of open source software components in their applications. Just over a quarter of developers were concerned about the security impact of their direct dependencies, while only 18% were confident in the controls they have for transitive dependencies, or dependency dependencies.
“While open source software undoubtedly makes developers more efficient and accelerates innovation, the way modern applications are assembled also makes them harder to secure,” said Brian Behlendorf, general manager of the Open Source Security Foundation (OpenSSF).
“This research clearly shows that the risk is real, and the industry needs to work even more closely to move away from poor open source or software supply chain security practices,” he added.
OpenSSF was founded in 2020 to improve the security of open source software by bringing together the open source security initiatives of the industry and the companies that support them.
It is supported by The Linux Foundation and combines the work of the Core Infrastructure Initiative (CII), GitHub’s Open Source Security Coalition, and other open source security work from board members, including Google, IBM, JPMorgan Chase, Microsoft, and Red Hat, among others.
Founded by The Linux Foundation in the wake of the 2014 Heartbleed bug, the CII has since disbanded, with its work now under the auspices of the OpenSSF.
The Linux Foundation said OpenSSF’s governance, technical community, and decisions will be transparent and that all specifications and projects it develops will be vendor-independent, adding that it is committed to working with existing communities to make the open improve source security for everyone.