Announcing the 2022 State of Open Source Security report from Snyk and the Linux Foundation

Open source software is a key component in modern applications. It has created a new era in software development, promoting a free exchange of ideas within the developer community and enabling developers to build more functional software, faster than ever. Based on most estimates, 70-90% of any piece of modern software includes open source code.

Just as developers of proprietary code use open source packages to speed up development, so do the creators of open source. This means that open source libraries often build upon other open source libraries — which are known as indirect or transitive dependencies — creating a complex tree of dependencies. From a security perspective, open source software introduces many layers of code into your applications —and vulnerabilities can live throughout those layers (as we recently saw with Log4Shell). Managing this risk requires thoughtful planning and implementation of security policies that address the potential attack surface in open source libraries. It also requires equipping your team with reliable, effective tools for fixing detected vulnerabilities, and keeping pace as new vulnerabilities emerge.

With the proliferation of open source and increasingly complex dependency trees in mind, Snyk recently partnered with the Linux Foundation to research how organizations detect, mitigate, and reduce the security risks posed by open source software. Today, we’re proud to present the outcome of this research: the 2022 State of Open Source Security report.

Critical numbers from our research

This annual report details the significant security risks that result from the widespread use of open source software. Our research revealed that many organizations are unprepared for dealing with these risks. Specifically, we found that:

• 41% of organizations don't have high confidence in their open source software security.

• The average application in development contains 49 vulnerabilities and 69 dependencies.

• The time it takes to fix vulnerabilities in open source projects has steadily increased, more than doubling from 49 days in 2018 to 110 days in 2021.

• 51% of organizations don’t have a security policy for OSS development or usage.

• 30% of organizations without an open source security policy readily recognize that no one on their team is responsible for addressing open source security.

Perhaps the most important finding is that many organizations still don’t fully understand the scope of potential vulnerabilities in open source packages, and don’t have the policies in place to effectively protect their applications. Using open source packages requires a new way of thinking about developer security that many organizations have not yet adopted.

This first-of-its-kind joint report found widespread evidence suggesting industry naiveté about the state of open source security today. Together with The Linux Foundation, we plan to leverage these findings to further educate and equip the world’s developers, empowering them to continue building fast, while also staying secure.

The use of open source software will undoubtedly continue to increase. Knowing what risks exist in open source packages, and understanding how to build protection against those risks, can empower your organization to use open source technology efficiently and safely. Finding the most effective tools and policies for open source security is a great place to start.

About this project

The 2022 State of Open Source Security report is a partnership between Snyk and The Linux Foundation, with support from OpenSSF, the Cloud Native Security Foundation, the Continuous Delivery Foundation and the Eclipse Foundation. The report is based on a survey of over 550 respondents in the first quarter of 2022 and data from Snyk Open Source, which has scanned more than 1.3 billion open source projects.