- Two of every five organizations don’t have strong confidence in their open source software security, according to a joint study from The Linux Foundation and Snyk, a firm that specializes in developer security. Just half of organizations actually have a security policy related to open source development or usage, the research showed.
- The average application development project has 49 vulnerabilities and 80 direct dependencies, according to the report.
- The time required to fix vulnerabilities in open source more than doubled to 110 days in 2021, compared with 41 days during 2018, the report found.
The report comes at a time when the security of open source software is a major concern of both information security experts and government officials.
Open source vulnerabilities like Log4j and the 2017 Apache Struts case linked to the Equifax breach highlight the continued threat posed when millions of applications are exposed to these vulnerabilities. The most inexperienced and unsophisticated hackers are able to take advantage of these flaws to steal or manipulate sensitive data.
“Open source has changed the way developers work, and has brought more efficiency, innovation and speed in the way modern applications are made," Matt Jarvis, director of developer relations at Snyk, said via email. “This ubiquity has also made it a target, as attackers have realized that the open source supply chain may be easier to exploit than directly looking for vulnerabilities in end user applications.”
The increased time to find open source vulnerabilities reflects another set of challenges, according to Jarvis.
Developers are creating more software on an annual basis, which can force organizations to focus on critical vulnerabilities. That can leave less severe vulnerabilities unpatched and lingering for exploitation.
“Organizations will rightly focus on fixing critical issues, but the growing average suggests both a growing number of vulnerabilities across ecosystems and the challenges facing organizations in dealing with software security in general,” Jarvis said.
A 2021 study from Forrester shows two-thirds of respondents estimated their organizations had been breached at least once in the previous 12 months, according to the research firm's senior analyst Janet Worthington.
More than one-third of respondents said the compromise was due to an external attack and the leading factor was a software vulnerability exploit, beating out phishing, social engineering and web application exploits, Worthington said.
“Not having a strong open source security policy is a problem when you look at how attackers are compromising organizations,” Worthington said.
Beyond creating specific open source security policies, there are steps companies can take to search for software vulnerabilities.
Organizations are increasingly using trusted component registries and software composition analysis tools to protect the integrity of open source, according to Manjunath Bhat, VP Analyst at Gartner.
“The increased threats of malicious code injection as part of supply chain attacks makes it critical to protect open-source software dependencies,” Bhat said via email.
The Snyk-Linux Foundation study was based on responses from more than 500 organizations, ranging from small firms to medium-to-large enterprises, Jarvis said. Data from Snyk Open Source, which scans about 1.3 billion open source projects, was also used for the report.