July 20, 20220 mins read
Snyk recently partnered with the Linux Foundation to produce a report focusing on the state of security in the open source software (OSS) space. The report was based on 550+ survey responses and 15 interviews with OSS maintenance and cybersecurity experts.
Following the report's publication, experts from Snyk held a webinar with the Linux Foundation to discuss some of the key insights: Addressing Cybersecurity Challenges In Open Source Software: Expert Panel. Participants in the webinar included: Mic McCully (Field Strategist, Snyk), Matt Jarvis (Director of Developer Relations, Snyk), and Steve Hendrick (VP of Research, Linux Foundation).
Read on to learn more about improving open source security and sustainability.
Software supply chain vulnerabilities
As software supply chains grow in complexity, open source security is becoming more critical than ever before. For example, most software today has many indirect or transitive dependencies, which are challenging to visualize and assess from an application security perspective.
Even more insightful is where those vulnerabilities lie within packages. The report revealed that over 40% of these security issues are found in indirect dependencies, meaning development teams often aren’t aware that they’re pulling vulnerable code into their projects.
The need for SBOMs and OSS security policies
Since security issues are often hidden deep within complex dependency trees, the idea
of creating a software bill of materials (SBOM) is growing in popularity. SBOMs are formal records of a software’s components and supply chain relationships with the aim of improving transparency.
Part of the reason many companies aren’t building SBOMs is the overall lack of open source security. In fact, the report survey results revealed that only 49% of organizations have a security policy that addresses open source security.
How are organizations checking the security of OSS packages?
While the report found that 44% of companies have developers examine source code for vulnerabilities, there are nearly a dozen different types of tools they use to do so. Two of the most popular include static application security testing (SAST) and software composition analysis (SCA).
Another common way organizations are checking the security of OSS packages is by vetting them before they’re adopted. They look for OSS projects with positive ratings, an active community that's frequently releasing new code changes, and a publicly disclosed security policy. However, these components could still have vulnerabilities within the transitive dependencies if the project maintainers aren’t proactively implementing OSS security themselves.
The impact of Log4Shell in the Java community
The report also revealed some interesting insights about the widespread Log4Shell vulnerability in the Java community. Most notably, 79% of projects affected by Log4Shell have more than one Log4Shell vulnerability within the codebase, and 60% of the instances were found in indirect dependencies.
Open source vulnerabilities are becoming harder to fix
Software supply chains are getting more complex, and visibility into security is becoming a greater challenge for many organizations. As a result, open source vulnerabilities are becoming harder to fix as well. In fact, time to fix vulnerabilities has increased from 49 days in 2018 to 110 days in 2021.
Another challenge organizations are facing with the increase in remediation times is resourcing. Some companies are, in fact, fixing critical issues faster than before, but low priority vulnerabilities are being addressed too slowly due to a lack of application security resources. That’s why SAST and SCA tools are the top two ways companies say they’re addressing security concerns.
SAST and SCA scanning tools can be integrated into CI/CD pipelines and the development process to automate the detection and remediation of many open source vulnerabilities. This helps organizations overcome some of the application security resource challenges they face.
The state of open source security in 2022
This conversation between Snyk and The Linux Foundation covered some key insights from the report, but there is much more to uncover. Download the full report to learn more about the complexity and risk associated with today’s software supply chain landscape: State of Open Source Security 2022.