Co-sponsored by Snyk, the State of Open Source Security report was compiled from interviews with 550 open source stakeholders and Snyk’s technology, which scanned more than 1.3 billion open source projects.
The use of open source repositories to accelerate time-to-market is widespread in the developer community, but can expose organizations to covert risks if these components contain malware or vulnerabilities.
Once such components are used, these risks can be difficult to find and remediate given the sometimes complex set of dependencies between components.
The average application development project contains 49 vulnerabilities spanning 80 direct dependencies, according to the report.
However, these challenges are often compounded by the presence of indirect dependencies. Some 40% of all vulnerabilities were found in these transitive dependencies, the report claimed.
Worryingly, only 18% of respondents said they are confident in the controls they have in place for their transitive dependencies, and just a quarter said they’re even concerned about the security impact of their direct dependencies.
Open source teams are struggling to meet a growing requirement to find and patch these bugs: the time taken to fix open source vulnerabilities is almost 20% longer than in proprietary projects, the report claimed. It lengthened from 49 days in 2018 to 110 days last year.
That could be because of staff shortages: 30% organizations without an open source security policy said that no-one on their team is currently addressing open source security directly.
“While open source software undoubtedly makes developers more efficient and accelerates innovation, the way modern applications are assembled also makes them more challenging to secure,” said Brian Behlendorf, general manager of the Open Source Security Foundation (OpenSSF).
“This research clearly shows the risk is real, and the industry must work even more closely together in order to move away from poor open source or software supply chain security practices.”
Leading figures from the community met in Washington in May to outline their 10-point plan for enhancing the security of the open source software supply chain.