Author: Guy Podjarny, Snyk
Open source software is more popular and more powerful than ever, with most applications built today using open source packages to build better and faster. However, using any third-party code (including open source packages) can introduce security risks, as was spectacularly demonstrated with the emergence of Log4Shell. Developers and organizations using open source need to be aware of the inherent risks that come with those packages. As a community, we need to track this awareness, so we can find our gaps, and invest in fixing them, together!
We’re proud to announce that Snyk has teamed up with the Linux Foundation to research and report on security concerns in the open source ecosystem. The research focused on how developers detect and mitigate risk, and on the practices organizations should adopt to automate and improve the testing of their open source components. We’ve compiled the findings of this research to create the 2022 State of Open Source Security report.
This year’s report examines the complexity introduced by open source packages, especially inside of direct and indirect (transitive) dependencies, and the way organizations are currently managing that complexity as part of their SDLC. The research shows that many organizations still don’t have good policies and governance around open source security, in spite of the popularity of open source packages. A few highlights include:
- 41% of organizations don’t have high confidence in their open source software security.
- The average application in development contains 49 vulnerabilities and 80 direct dependencies.
- The time it takes to fix vulnerabilities in open source projects has steadily increased, more than doubling from 49 days in 2018 to 110 days in 2021.
- 51% of organizations don’t have a security policy for open source development or usage.
- 30% of organizations without an open source security policy readily recognize that no one on their team is responsible for addressing open source security.
Using open source packages safely requires a new way of thinking about developer security that many organizations have not yet adopted. When you consider the prevalence of open source in modern applications, and then recognize how attractive open source packages are to bad actors, you see that the place where you’re most vulnerable is within your open source components. We believe that the successful implementation of good security practices — and the adoption of good open source security tools — has to start with the developers themselves. On top of that, we believe that recognizing the importance of actionable security policies has to be shared across the entire organization. The findings in this report really highlight why we focus so much on open source security at Snyk, why we built Snyk Open Source, and why we support the Open Source Security Foundation (OpenSSF). As we share and consume more open source packages, we need to be more diligent about being able to use open source but still stay secure.
Be sure to read the 2022 State of Open Source Security report.