Developers grapple with open source software security

The security of open source software remains a concern with developers who are taking longer to fix vulnerabilities as they combine open source components with their own code when building applications, a global study has found.

According to The state of open source security report by Snyk and The Linux Foundation, more than four in 10 organisations surveyed do not have high confidence in the security of open source software, with the average application development project having 49 vulnerabilities and 80 direct dependencies.

The time taken to fix vulnerabilities in open source projects has also increased, more than doubling from 49 days in 2018 to 110 days in 2021.

“Software developers today have their own supply chains – instead of assembling car parts, they are assembling code by patching together existing open source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security concerns,” said Matt Jarvis, director of developer relations at Snyk.

“This first-of-its-kind report found widespread evidence suggesting industry naivete about the state of open source security today. Together with The Linux Foundation, we plan to leverage these findings to further educate and equip the world’s developers, empowering them to continue building fast, while also staying secure.”

Having an open source software security policy is one of the ways organisations can mitigate security risks, but less than half (49%) of organisations have a security policy for open source software development or usage.

Furthermore, some three in 10 organisations without an open source security policy openly recognise that no one on their team is currently directly addressing open source security.

Many developers also do not even know about the dependencies of open source software components in their applications. Just over a quarter of developers were concerned about the security impact of their direct dependencies, while only 18% were confident of the controls they have in place for transitive dependencies, or dependencies of dependencies.

“While open source software undoubtedly makes developers more efficient and accelerates innovation, the way modern applications are assembled also makes them more challenging to secure,” said Brian Behlendorf, general manager of the Open Source Security Foundation (OpenSSF).

“This research clearly shows the risk is real, and the industry must work even more closely together to move away from poor open source or software supply chain security practices,” he added.

OpenSSF was formed in 2020 to improve the security of open source software, bringing together the industry’s open source security initiatives and companies that support them.

It is supported by The Linux Foundation and combines the work of the Core Infrastructure Initiative (CII), GitHub’s Open Source Security Coalition and other open source security work from governing board members including Google, IBM, JPMorgan Chase, Microsoft and Red Hat, among others.

The CII, which was formed by The Linux Foundation in the aftermath of the 2014 Heartbleed bug, has since been dissolved, with its work now under the auspices of the OpenSSF.

The Linux Foundation said the OpenSSF’s governance, technical community and decisions will be transparent and any specifications and projects developed will be supplier-agnostic, adding that it is committed to working with existing communities to improve open source security for all.