The widespread use of open source software (OSS) within modern application development poses a “significant security risk,” new research suggests.
According to a new report from cybersecurity firm Snyk, along with the Linux (opens in new tab) Foundation, today’s organizations are insufficiently prepared to address these risks.
Based on a survey of more than 550 respondents and data from 1.3 billion open source projects through Snyk Open Source, the report states that two in five (41%) companies do not trust the security of their open source -code.
Vulnerabilities in open source code
The average application development project, it turned out, has 49 vulnerabilities, as well as 80 direct dependencies. Normally, it now takes 110 days to fix a vulnerability in an open source project, compared to 49 days four years ago.
“Software developers today have their own supply chains – instead of assembling car parts, they assemble code by patching existing open source components together with their unique code. While this leads to increased productivity and innovation, it has also created major security concerns,” said Matt Jarvis, Director, Developer Relations, Snyk.
Jarvis added that there is a certain “naivety” in the industry’s approach to open source software, which could open the door to all sorts of malware, ransomware and other attacks.
For example, less than half (49%) have a security policy for the development or use of OSS, for medium and large companies this falls to 27%. In addition, less than a third (30%) of organizations without open source security policies are aware that no one is currently concerned with protecting open source software.
But some respondents are aware of the security challenges open source software poses in the supply chain. A quarter said they were concerned about the security impact of their OSS dependencies, and only 18% said they trust the checks they have in place for their transitive dependencies, with 40% of all vulnerabilities found.