The widespread use of open source software (OSS) within modern application development poses a “significant security risk”, new research suggests.
According to a new report from cybersecurity company Snyk, together with the Linux (s'ouvre dans un nouvel onglet) Foundation, today’s organizations are underprepared to tackle these risks.
Basé sur une enquête auprès de plus de 550 répondants, ainsi que sur des données extraites de 1.3 milliard de projets open source via Snyk Open Source, le rapport indique que deux entreprises sur cinq (41%) ne sont pas confiantes dans la sécurité de leur code open source.
Vulnerabilities in open source code
Le projet de développement d'application moyen, a-t-il été constaté, comporte 49 vulnérabilités, ainsi que 80 dépendances directes. Habituellement, il faut maintenant 110 jours pour remédier à une vulnérabilité dans un projet open source, contre 49 jours il y a quatre ans.
“Software developers today have their own supply chains – instead of assembling car parts, they are assembling code by patching together existing open source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security concerns,” said Matt Jarvis, Director, Developer Relations, Snyk.
Jarvis added that there’s a certain “naivete” to the industry’s approach to open-source software, which could open the door to all manner of malware, ransomware and other attacks.
For example, less than half (49%) have a security policy for OSS development or usage, dropping down to 27% among medium and large-size companies. Furthermore, less than a third (30%) of organizations without an open-source security policy are aware of the fact that at the moment, no one is addressing the security of open source software.
But some respondents are aware of the security challenges posed by open source software in the supply chain. A quarter said they were concerned about the security impact of their dependencies on OSS, and only 18% said they were confident in the controls they’ve set up for their transitive dependencies, where 40% of all vulnerabilities were found.