We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
      • Snyk Cloud
        Build, deploy, and stay secure
    • Solutions
      • Application security
        Build secure, stay secure
      • Software supply chain security
        Mitigate supply chain risk
      • Cloud security
        Build and operate securely
    • Platform
      • What is Snyk?
        Developer-first security in action
      • Developer security platform
        Modern security in a single platform
      • Security intelligence
        Comprehensive vulnerability data
      • License compliance management
        Manage open source usage
      • Snyk Learn
        Self-service security education
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
      • User hub
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Listen to the Cloud Security Podcast, powered by Snyk
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Application SecurityOpen Source

Announcing the 2022 State of Open Source Security report from Snyk and the Linux Foundation

Megan MooreJune 21, 2022

Open source software is a key component in modern applications. It has created a new era in software development, promoting a free exchange of ideas within the developer community and enabling developers to build more functional software, faster than ever. Based on most estimates, 70-90% of any piece of modern software includes open source code. 

Just as developers of proprietary code use open source packages to speed up development, so do the creators of open source. This means that open source libraries often build upon other open source libraries — which are known as indirect or transitive dependencies — creating a complex tree of dependencies. From a security perspective, open source software introduces many layers of code into your applications — and vulnerabilities can live throughout those layers (as we recently saw with Log4Shell). Managing this risk requires thoughtful planning and implementation of security policies that address the potential attack surface in open source libraries. It also requires equipping your team with reliable, effective tools for fixing detected vulnerabilities, and keeping pace as new vulnerabilities emerge. 

With the proliferation of open source and increasingly complex dependency trees in mind, Snyk recently partnered with the Linux Foundation to research how organizations detect, mitigate, and reduce the security risks posed by open source software. Today, we’re proud to present the outcome of this research: the 2022 State of Open Source Security report. 

Critical numbers from our research

This annual report details the significant security risks that result from the widespread use of open source software. Our research revealed that many organizations are unprepared for dealing with these risks. Specifically, we found that:

  • 41% of organizations don’t have high confidence in their open source software security.
  • The average application in development contains 49 vulnerabilities and 69 dependencies.
  • The time it takes to fix vulnerabilities in open source projects has steadily increased, more than doubling from 49 days in 2018 to 110 days in 2021.
  • 51% of organizations don’t have a security policy for OSS development or usage.
  • 30% of organizations without an open source security policy readily recognize that no one on their team is responsible for addressing open source security.

Perhaps the most important finding is that many organizations still don’t fully understand the scope of potential vulnerabilities in open source packages, and don’t have the policies in place to effectively protect their applications. Using open source packages requires a new way of thinking about developer security that many organizations have not yet adopted.

This first-of-its-kind joint report found widespread evidence suggesting industry naiveté about the state of open source security today. Together with The Linux Foundation, we plan to leverage these findings to further educate and equip the world’s developers, empowering them to continue building fast, while also staying secure.

Matt Jarvis, Director of Developer Relations at Snyk

The use of open source software will undoubtedly continue to increase. Knowing what risks exist in open source packages, and understanding how to build protection against those risks, can empower your organization to use open source technology efficiently and safely. Finding the most effective tools and policies for open source security is a great place to start.

About this project

The 2022 State of Open Source Security report is a partnership between Snyk and The Linux Foundation, with support from OpenSSF, the Cloud Native Security Foundation, the Continuous Delivery Foundation and the Eclipse Foundation. The report is based on a survey of over 550 respondents in the first quarter of 2022 and data from Snyk Open Source, which has scanned more than 1.3 billion open source projects.

snyk report

State of Open Source Security 2022

A look at software supply chain complexity and risk in collaboration with The Linux Foundation.

View full report

Discuss this blog on Discord

Join the DevSecOps Community on Discord to discuss this topic and more with other security-focused practitioners.

Go to Discord
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • API status
  • Pricing
  • Test with GitHub
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom