We use cookies to ensure you get the best experience on our website.Read moreRead moreGot it

close
  • Products
    • Products
      • Snyk Open Source (SCA)
        Avoid vulnerable dependencies
      • Snyk Code (SAST)
        Secure your code as it’s written
      • Snyk Container
        Keep your base images secure
      • Snyk Infrastructure as Code
        Fix misconfigurations in the cloud
      • Snyk Cloud
        Build, deploy, and stay secure
    • Solutions
      • Application security
        Build secure, stay secure
      • Software supply chain security
        Mitigate supply chain risk
      • Cloud security
        Build and operate securely
    • Platform
      • What is Snyk?
        Developer-first security in action
      • Developer security platform
        Modern security in a single platform
      • Security intelligence
        Comprehensive vulnerability data
      • License compliance management
        Manage open source usage
  • Resources
    • Using Snyk
      • Documentation
      • Vulnerability intelligence
      • Product training
      • Customer success
      • Support portal & FAQ’s
    • learn & connect
      • Blog
      • Community
      • Events & webinars
      • DevSecOps hub
      • Developer & security resources
    • Listen to the Cloud Security Podcast, powered by Snyk
  • Company
    • About Snyk
    • Customers
    • Partners
    • Newsroom
    • Snyk Impact
    • Contact us
    • Jobs at Snyk We are hiring
  • Pricing
Log inBook a demoSign up
All articles
  • Application Security
  • Cloud Native Security
  • DevSecOps
  • Engineering
  • Partners
  • Snyk Team
  • Show more
    • Vulnerabilities
    • Product
    • Ecosystems
Green header Open Source Security
Open SourceCloud Native SecurityDevSecOpsEcosystems

The State of Open Source Security Survey – 2020

Alyssa Miller Headshot
Alyssa MillerMarch 25, 2020

Open source security is our passion here at Snyk. Every year starting in 2017, Snyk has produced our annual State of Open Source Security report. In this report, we analyze the trends in open source security and how organizations are managing security vulnerabilities in their open source software and cloud native technologies. As part of our research we turn to the community to share their perspectives through our State of Open Source Security survey. We’ve recently launched the 2020 survey and we want to hear from you!!

Your responses to this survey help us better understand the challenges our community faces and guides our research. Coupled with data we gather and analyze from our platforms and those of our partners, we will once again release this free report to the community. This year we’re expanding our focus to get even greater detail in terms of cloud native technologies such as containers, orchestration tools, and infrastructure as code.

Open Source Security in 2019

In our 2019 report, we took a detailed look at the trends in various development ecosystems and what that meant in terms of security. While there were many poignant findings as a result of our research, a few key items really stood out. These are some of the key discoveries from 2019 that we plan to continue monitoring in our 2020 report.

Known Vulnerabilities

One of the key data elements we researched for our 2019 report was the volume of reported security vulnerabilities across multiple ecosystems. Looking at application libraries in PyPi, Golang, npm, Maven Central, and PHP Packagist we found that over the two-year span of 2017 and 2018, vulnerabilities grew by almost 88%. PHP, in particular, saw a significant increase in the pace of reported vulnerabilities in 2018.

Vulnerabilities by Ecosystem graph from State of Open Source Security 2019 Report

When looking at vulnerabilities, we not only want to understand the sheer number but also the criticality of the vulnerabilities being discovered. From 2017 to 2018 we saw a somewhat encouraging trend. The proportion of high to medium severity vulnerabilities reported shifted toward less risky medium severity vulnerabilities.

Vulnerability severities by year graph from State of Open Source Security 2019 Report

Container security

As part of our 2019 report, we started to take a look at some of the key trends in vulnerabilities around container images. We looked at the known vulnerabilities in the system libraries within some of the most popular images on Docker Hub. We found that the average number of vulnerabilities was quite high but in particular Node.js libraries included in these images tended to be significantly vulnerable. If there was a silver lining to be found in this it was that 44% of the vulnerabilities could be fixed by swapping the base image for a less vulnerable version.

OS Vulnerabilities graph from State of Open Source Security 2019 Report

Time to fix

One other key element for understanding the overall state of security across the open source ecosystem is to understand how long it takes for maintainers to address reported vulnerabilities and provide a fix. Looking at some of the most popular packages in npm we found that time to fix ranged from 289 days to over 2,000 days!!

Days to fix graph from State of Open Source Security 2019 Report

Plans for the 2020 Report

The findings from 2019 were very interesting and in, some cases, quite eye-opening. As we look to this year’s report we want to continue to monitor trends in many of the key elements from the 2019 report but we also plan to expand beyond. In our survey, we’re asking more questions aimed at understanding how organizations are driving their DevSecOps culture and how they’re managing security across open source software, containers, and orchestration.

From a data research perspective, we’ll expand on the lessons learned in the 2019 report to gather even more vulnerability information across the ecosystems. We’ll be digging deeper into data that ultimately helps answer the question, is open source security improving. Coupling that information with the survey results will create a powerful view into the open source ecosystem and help maintainers and organizations alike better plan security initiatives.

To help us out, you can access the survey here:

TAKE THE SURVEY NOW!

 

 

Discuss this blog on Discord

Join the DevSecOps Community on Discord to discuss this topic and more with other security-focused practitioners.

Go to Discord
Footer Wave Top
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment
Develop Fast.
Stay Secure.
Snyk|Open Source Security Platform
Sign up for freeBook a demo

Product

  • Developers & DevOps
  • Vulnerability database
  • Pricing
  • Test with GitHub
  • API status
  • IDE plugins
  • What is Snyk?

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Company

  • About
  • Snyk Impact
  • Customers
  • Jobs at Snyk
  • Snyk for government
  • Legal terms
  • Privacy
  • Press kit
  • Events
  • Security and trust
  • Do not sell my personal information

Connect

  • Book a demo
  • Contact us
  • Support
  • Report a new vuln

Security

  • JavaScript Security
  • Container Security
  • Kubernetes Security
  • Application Security
  • Open Source Security
  • Cloud Security
  • Secure SDLC
  • Cloud Native Security
  • Secure coding
  • Python Code Examples
  • JavaScript Code Examples
Snyk|Open Source Security Platform

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer's toolkit.

Resources

  • Snyk Learn
  • Blog
  • Security fundamentals
  • Resources for security leaders
  • Documentation
  • Snyk API
  • Disclosed vulnerabilities
  • Open Source Advisor
  • FAQs
  • Website scanner
  • Japanese site
  • Audit services
  • Web stories

Track our development

© 2022 Snyk Limited
Registered in England and Wales
Company number: 09677925
Registered address: Highlands House, Basingstoke Road, Spencers Wood, Reading, Berkshire, RG7 1NT.
Footer Wave Bottom