2024 Open Source Security Report: Slowing Progress and New Challenges for DevSecOps

Trust is the foundation of the open source community — but what happens when that trust is betrayed? 

When a backdoor vulnerability was found in a widespread Linux-based data compression tool, it nearly created an opportunity for malicious actors to seize control of countless computers worldwide. The vulnerability was introduced by a trusted contributor who, after years of building rapport with maintainers, ultimately exploited that trust. This incident has shaken the open source community, which relies on the goodwill and integrity of participants to build functional, secure software.

Between widespread security issues, plus systemic concerns like funding difficulties and developer burnout, the open source world is now in a state of flux. Initiatives like the Open Source Pledge aim to help keep open source viable and ensure that the software supply chain remains secure. But there’s a lot we don’t know about the future of this development work, which supports as much as 70% to 90% of today’s software. 

In Snyk's 2024 State of Open Source report, we set out to uncover the current state of open source security and its evolving challenges. What we found highlights a landscape at a crossroads: While open source development continues to underpin the vast majority of today’s software, it faces persistent obstacles — ranging from stagnant DevOps progress to the growing complexity of supply chain security. Yet, despite these hurdles, there are promising shifts in how organizations are approaching these issues. 

DevOps progress goes stagnant — and AppSec exhaustion grows

Our findings indicate that the open source world has reached a plateau in DevOps maturity: The frequency of code shipments remains largely unchanged since last year’s report. As DevOps processes mature, code deployments should grow smaller and more frequent, so this inertia reflects that adoption of DevOps processes has actually slowed. Likewise, many respondents see SLA deadlines for vulnerabilities as a daunting challenge. 52% of teams said they often fail to meet vulnerability SLA deadlines, with 74% setting unrealistic SLAs of a week or less.

This stagnancy is also evident in dependency tracking, which showed only slight improvement: 25% of respondents said that they track only direct dependencies, with almost 5% tracking none at all. And when it comes to AppSec, progress is equally slow. In a DevSecOps cycle where security information can be delivered by disparate tools at inconvenient times, developers need a consolidated tool in which to view and manage security information. 

A secured software supply chain remains out of reach

The software supply chain, with its intricate web of interconnected teams and tools, can often feel overwhelming to manage. Securing it demands a comprehensive effort to identify and address vulnerabilities across every stage of the software lifecycle. But have organizations' strategies for tackling supply chain security evolved? 

For many businesses, the answer is no: Supply chain vulnerabilities continue to pose a serious threat. In 2024, 45% of organizations had to replace vulnerable build components, meaning that nearly half of supply chains are known to have been exposed to vulnerabilities. And organizations have a long way to go when it comes to adopting supply chain security practices. Only two of the practices we asked about — SBOM monitoring (62%) and pipeline security (50%) — are widely adopted.

To address these weaknesses, organizations are increasingly opting for automated package security tools. While automation can accelerate many workflows safely, this rising dependency on automation for package safety verification may be cause for concern. An over-reliance on these tools could result in critical vulnerabilities going undetected.

Risk analysis is in need of sophistication

In a world where security breaches are on the rise, risk management helps businesses identify and prevent security risks before they happen. Novel risk analysis methods, like reachability or business context analysis, could supercharge the value of risk management for many organizations by helping developers identify and fix the most important vulnerabilities first. But in spite of the new availability of advanced techniques, most organizations still rely heavily on traditional risk analysis measures, like the Common Vulnerability Scoring System (CVSS) and exploit prediction. 

The gap suggests difficulty in assessing actual vulnerability risks, which in turn hinders an organization’s ability to triage and respond to risks efficiently. In other areas, too, it’s clear that risk management is not sufficiently prioritized. For instance, fewer than 25% of organizations perform regular audits of their software supply chain.

Confidence in AI security tools is high — Likely too high

Nearly 80% of respondents believe that AI coding tools generate more secure code. Despite research indicating they introduce new vulnerabilities, developers are inclined to trust AI just as much as their own colleagues. Eighty-four percent say they apply the same level of scrutiny to AI-suggested open source packages as they would human-suggested ones, indicating a concerning cognitive dissonance. 

As the reliance on AI in coding grows, it will be critical to avoid overreliance on AI for security in particular, to avoid introducing unbounded risk and ensure that monitoring is thorough and well-performed.

Read more in the 2024 State of Open Source report

Open source security practices have a long way to go before achieving full maturity. This year brought slowed growth in the adoption of security practices and tools. This trend is concerning given the introduction of new levels of risk into software, between increased cyber threats and the potential for AI-injected vulnerabilities. 

On the other hand, the adoption of more mature security practices may be slow, but it is growing — and with it, the promise of a more secure software supply chain. 

For more detailed insights and practical steps to secure your software supply chain, read the full report today.