Modern application development teams are leveraging code from all sorts of places. When developers incorporate an open source component in their applications, they immediately become dependent on that component and are at risk if that component contains vulnerabilities. Snyk and the Linux Foundation have announced the results of their first joint research report, the State of Open Source Security Report at the Open Source Summit North America in Austin, TX. The results detail the significant security risks resulting from the widespread use of open source software within modern application development as well as how many organizations are currently ill-prepared to effectively manage these risks.
The report found that over four out of every ten (41%) organizations don’t have high confidence in their open source software security; the average application development project has 49 vulnerabilities and 80 direct dependencies (open source code called by a project); and the time it takes to fix vulnerabilities in open source projects has steadily increased, more than doubling from 49 days in 2018 to 110 days in 2021.
Over one-quarter of survey respondents noted they are concerned about the security impact of their direct dependencies. Also, only 18% of respondents said they are confident of the controls they have in place for their transitive dependencies and forty percent of all vulnerabilities were found in transitive dependencies.
As application development has increased in complexity, the security challenges faced by development teams have also become increasingly complex. While this makes development more efficient, the use of open source software adds to the remediation burden. The report found that fixing vulnerabilities in open source projects takes almost 20% longer (18.75%) than in proprietary projects.