The State of Open Source Security – 2020
Open source security is our passion here at Snyk. Every year starting in 2017, Snyk has produced our annual State of Open Source Security report. In this report, we analyze the trends in open source security and how organizations are managing security vulnerabilities in their open source software and cloud native technologies. As part of our research we turn to the community to share their perspectives through our State of Open Source Security survey. We’ve recently launched the 2020 survey and we want to hear from you!!
Your responses to this survey help us better understand the challenges our community faces and guides our research. Coupled with data we gather and analyze from our platforms and those of our partners, we will once again release this free report to the community. This year we’re expanding our focus to get even greater detail in terms of cloud native technologies such as containers, orchestration tools, and infrastructure as code.
Open Source Security in 2019
In our 2019 report, we took a detailed look at the trends in various development ecosystems and what that meant in terms of security. While there were many poignant findings as a result of our research, a few key items really stood out. These are some of the key discoveries from 2019 that we plan to continue monitoring in our 2020 report.
One of the key data elements we researched for our 2019 report was the volume of reported security vulnerabilities across multiple ecosystems. Looking at application libraries in PyPi, Golang, npm, Maven Central, and PHP Packagist we found that over the two-year span of 2017 and 2018, vulnerabilities grew by almost 88%. PHP, in particular, saw a significant increase in the pace of reported vulnerabilities in 2018.
When looking at vulnerabilities, we not only want to understand the sheer number but also the criticality of the vulnerabilities being discovered. From 2017 to 2018 we saw a somewhat encouraging trend. The proportion of high to medium severity vulnerabilities reported shifted toward less risky medium severity vulnerabilities.
As part of our 2019 report, we started to take a look at some of the key trends in vulnerabilities around container images. We looked at the known vulnerabilities in the system libraries within some of the most popular images on Docker Hub. We found that the average number of vulnerabilities was quite high but in particular Node.js libraries included in these images tended to be significantly vulnerable. If there was a silver lining to be found in this it was that 44% of the vulnerabilities could be fixed by swapping the base image for a less vulnerable version.
Time to fix
One other key element for understanding the overall state of security across the open source ecosystem is to understand how long it takes for maintainers to address reported vulnerabilities and provide a fix. Looking at some of the most popular packages in npm we found that time to fix ranged from 289 days to over 2,000 days!!
Plans for the 2020 Report
The findings from 2019 were very interesting and in, some cases, quite eye-opening. As we look to this year’s report we want to continue to monitor trends in many of the key elements from the 2019 report but we also plan to expand beyond. In our survey, we’re asking more questions aimed at understanding how organizations are driving their DevSecOps culture and how they’re managing security across open source software, containers, and orchestration.
From a data research perspective, we’ll expand on the lessons learned in the 2019 report to gather even more vulnerability information across the ecosystems. We’ll be digging deeper into data that ultimately helps answer the question, is open source security improving. Coupling that information with the survey results will create a powerful view into the open source ecosystem and help maintainers and organizations alike better plan security initiatives.
To help us out, you can access the survey here: