Open-source software risks persist, according to new reports

Open-source software (OSS) has become a mainstay of most applications, but it has also created security challenges for developers and security teams, challenges that may be overcome by the growing “shift left” movement, according to two studies released this week.

More than four out of five organizations (41%) don’t have high confidence in their open-source security, researchers at Snyk, a developer security company, and The Linux Foundation reveal in their The State of Open Source Security report.

It also notes that the time to fix vulnerabilities in open-source projects has steadily increased over the last three years, more than doubling from 49 days in 2018 to 110 days in 2021.

The open-source debate: Productivity vs security

The report, based on survey of more than 550 respondents, also notes that the average application development project has 49 vulnerabilities and 80 direct dependencies where a project calls open-source code. What’s more, the report found that less than half of organizations (49%) have a security policy for OSS development or usage. That number is worse for medium- to large-sized companies: 27%.

“Software developers today have their own supply chains,” Snyk Director of Developer Relations Matt Jarvis explains in a statement. “Instead of assembling car parts, they are assembling code by patching together existing open-source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security concerns.”

Shifting security left reveals vulnerabilities sooner

Another survey—the AppSec Shift Left Progress Report—suggests better OSS security can be achieved by moving security “left” or closer to the beginning of the software development lifecycle. The report, based on the users’ experience of ShiftLeft’s Core product, found that 76% of new vulnerabilities were fixed within two sprints.