Software developers today have their own supply chains, assembling code by combining existing open source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security issues.
Open-source security could be a victim of its own success, according to a new study by developer security vendor Snyk and The Linux Foundation on the state of open security.
The researchers found that organizations with an open source security policy were more likely to rate their application development as highly or somewhat secure, compared to those without such a policy.
See also: Observability and Software Supply Chain Security
An open source security policy provides many advantages and benefits to an organization, including reduced development costs and more time spent on value-added tasks. However, there is a risk of offloading too much of the security workload, which can lead to cyberattacks and breaches.
“While open source is a proven mechanism for innovation and the creation of high-quality software, it is becoming a victim of its own success insofar as its ubiquity has made it a target for attacks by the supply chain,” said Snyk Director of Developer Relations Matt Jarvis. “Companies need to better understand the mechanisms by which open source works, and that includes governance as well as code, and strengthen their approach to supply chain management by adopting security-focused tools and methodologies. the developers.”
This is a problem especially for small organizations, which may not have the resources to create a security policy. In the survey, 60% of small organizations said they had no security policy, and lack of resources and time were cited as the top two reasons for not having a security policy. Only 27% of medium and large companies said they do not have a security policy.
See also: Log4j vulnerability highlights the need for observability
“Open source software undoubtedly makes developers more efficient and accelerates innovation, but the way modern applications are put together also makes them harder to secure,” said the Open Source Security Foundation’s chief executive, Brian Behlendorf. “This research clearly shows that the risk is real and that the industry needs to work even more closely in order to move away from poor open source or software supply chain security practices.”
The study found that an average development project has 49 vulnerabilities and 80 direct dependencies, and the time to fix these vulnerabilities has more than doubled since 2018, from an average of 49 days to 110 days in 2021.
“Software developers today have their own supply chains – instead of assembling auto parts, they assemble code by combining existing open source components with their unique code. Although this leads to increased productivity and innovation, it also created significant security issues,” Jarvis said.
There are concerns that organizations are not fully aware of the complexities of open source security. Only a quarter of organizations were concerned about the impact of direct dependencies, and 30% of organizations without a security policy were able to recognize that no one was addressing the issue.