The widespread use of open source software (OSS) within modern application development poses a “significant security risk”, new research suggests.
According to a new report from cybersecurity company Snyk, together with the Linux (새 탭에서 열립니다) Foundation, today’s organizations are underprepared to tackle these risks.
550명 이상의 응답자를 대상으로 한 설문 조사와 Snyk Open Source를 통해 1.3억 개의 오픈 소스 프로젝트에서 가져온 데이터를 바탕으로 한 보고서에 따르면 41개 중 XNUMX개(XNUMX%)의 기업이 오픈 소스 코드의 보안에 자신이 없다고 밝혔습니다.
Vulnerabilities in open source code
평균적인 애플리케이션 개발 프로젝트에는 49개의 취약점과 80개의 직접적인 종속성이 있는 것으로 나타났습니다. 일반적으로 오픈소스 프로젝트의 취약점을 해결하는 데 걸리는 시간은 110년 전 49일에서 이제 XNUMX일로 늘어났습니다.
“Software developers today have their own supply chains – instead of assembling car parts, they are assembling code by patching together existing open source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security concerns,” said Matt Jarvis, Director, Developer Relations, Snyk.
Jarvis added that there’s a certain “naivete” to the industry’s approach to open-source software, which could open the door to all manner of malware, ransomware and other attacks.
For example, less than half (49%) have a security policy for OSS development or usage, dropping down to 27% among medium and large-size companies. Furthermore, less than a third (30%) of organizations without an open-source security policy are aware of the fact that at the moment, no one is addressing the security of open source software.
But some respondents are aware of the security challenges posed by open source software in the supply chain. A quarter said they were concerned about the security impact of their dependencies on OSS, and only 18% said they were confident in the controls they’ve set up for their transitive dependencies, where 40% of all vulnerabilities were found.