Software developers today have their own supply chains, assembling code by patching existing open source components together with their unique code. While this leads to increased productivity and innovation, it has also created significant safety issues.
Open source security could be a victim of its own success, according to a new study by developer security provider Snyk and The Linux Foundation on the state of open security.
The researchers found that organizations with open source security policies were more likely to view their application development as very or somewhat secure compared to organizations without such policies.
An open source security policy provides many benefits and benefits to an organization, including a reduction in development costs and more time spent on value-added tasks. However, there is a risk of offloading too much of the security workload, leading to cyberattacks and breaches.
“While open source is a proven mechanism for innovation and building high-quality software, it is somewhat a victim of its own success as its ubiquity has made it a target for attacks in the supply chain,” said director of developer relations at Snyk, Matt Jarvis. “Companies need to build a better understanding of both the mechanisms by which open source works, and this includes both governance and code, and strengthen their approach to supply chain management by applying developer-first security tools and methodologies.”
This is especially a problem for smaller organizations, who may not have the resources to create a security policy. In the survey, 60 percent of small organizations said they had no policies, and a lack of resources and time were cited as the top two reasons for the lack of security policies. Only 27 percent of medium and large organizations said they had no security policies in place.
“Open source software undoubtedly makes developers more efficient and accelerates innovation, but the way modern applications are assembled also makes them harder to secure,” said Brian Behlendorf, general manager of the Open Source Security Foundation. “This research clearly shows that the risk is real, and the industry needs to work even more closely to move away from poor open source or software supply chain security practices.”
The study found that the average development project has 49 vulnerabilities and 80 direct dependencies, and the time it takes to fix these vulnerabilities has more than doubled since 2018, from an average of 49 days to 110 days in 2021.
“Software developers today have their own supply chains – instead of assembling car parts, they assemble code by patching existing open source components together with their unique code. While this leads to increased productivity and innovation, it has also created major safety issues,” says Jarvis.
There is a concern that organizations are not fully aware of the complexities of open source security. Only a quarter of organizations were concerned about the impact of direct dependencies, and 30 percent of organizations with no security policies were able to acknowledge that no one was addressing the problem.