Open Source Security Ubiquity May Be Its Undoing

Open source security may be a victim of its own success, according to a new study by developer security provider Snyk and The Linux Foundation on the state of open security. 

The researchers found that organizations with an open source security policy were more likely to consider their application development highly or somewhat secure, in comparison to those without such a policy. 

See also: Observability and Software Supply Chain Security

An open source security policy does provide a lot of benefits and advantages to an organization, including a reduction in development cost and more time spent on value-added tasks. However, there is a risk in offloading too much of the security workload, which can lead to cyberattacks and breaches. 

“While open source is a proven mechanism for innovation and building high-quality software, it’s becoming somewhat a victim of its own success in that its ubiquity has made it a target for supply-chain attacks,” said director of developer relations at Snyk, Matt Jarvis. “Companies need to build a stronger understanding of both the mechanisms by which open source works, and this includes governance as well as code, and strengthen their approach to supply chain management through adopting developer-first security tooling and methodologies.”

This is a problem especially for smaller organizations, which may not have the resources to create a security policy. In the survey, 60 percent of small organizations said they had no policy, and lack of resources and time were cited as the two main reasons for the lack of security policy. Only 27 percent of medium and large scale organizations said they didn’t have a security policy. 

See also: Log4j Vulnerability Highlights the Need for Observability

“Open source software undoubtedly makes developers more efficient and accelerates innovation, but the way modern applications are assembled also makes them more challenging to secure,” said general manager at the Open Source Security Foundation, Brian Behlendorf. “This research clearly shows the risk is real, and the industry must work even more closely together in order to move away from poor open source or software supply chain security practices.”

The study found that the average development project has 49 vulnerabilities and 80 direct dependencies, and that the time it takes to fix these vulnerabilities has more than doubled since 2018, from 49 days on average to 110 days in 2021. 

“Software developers today have their own supply chains – instead of assembling car parts, they are assembling code by patching together existing open source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security concerns,” said Jarvis. 

There is a worry that organizations are not fully aware of the complexities in open source security. Only one quarter of organizations were concerned about the impact of direct dependencies, and 30 percent of organizations without a security policy were able to recognize there was nobody addressing the problem.