Open source software is a popular concept because of the fact that this is the sort of thing that could potentially end up democratizing the development of this software as well as allowing anyone to use it and contribute to it. However, the nature of open source software makes it particular susceptible to vulnerabilities, and according to a report that was just released by the Linux Foundation in collaboration with Snyk, these factors are decreasing faith in OSS among organizations.
Around 41% of organizations who participated in this survey said that their confidence in open source security was diminishing. With all of that having been said and now out of the way, it is important to note that less than half of these organizations, or 49% to be precise, said that they had a concrete open source security policy that they had implemented or were at least working on.
Open source supply chains are frequently used by organizations, and according to this report these projects have just under 50 vulnerabilities on average with all things having been considered and taken into account. Additionally, the number of days required to patch a discovered vulnerability is increasing drastically as well. In 2018, an organization needed around 48 days on average to fix a vulnerability in their open source software, but in spite of the fact that this is the case this number has increased to 110 days in 2021.
The fact that so many organizations don’t have a proper security protocol in place for their open source software might be making matters worse than they need to be. Automating vulnerability detection in the code can be a good jumping off point, but that will only be the first step in a long journey towards proper open source security. Until these steps are taken, it seems unlikely that organizations will be able to use open source software with any degree of confidence. It is unsurprising that the number of organizations that aren’t confident about open source security and those that don’t have protocols in place overlaps so accurately.
Read next: Most UK Consumers Have Some Worry Or Stress Related To Digital Security, Confirms New Report
Around 41% of organizations who participated in this survey said that their confidence in open source security was diminishing. With all of that having been said and now out of the way, it is important to note that less than half of these organizations, or 49% to be precise, said that they had a concrete open source security policy that they had implemented or were at least working on.
Open source supply chains are frequently used by organizations, and according to this report these projects have just under 50 vulnerabilities on average with all things having been considered and taken into account. Additionally, the number of days required to patch a discovered vulnerability is increasing drastically as well. In 2018, an organization needed around 48 days on average to fix a vulnerability in their open source software, but in spite of the fact that this is the case this number has increased to 110 days in 2021.
The fact that so many organizations don’t have a proper security protocol in place for their open source software might be making matters worse than they need to be. Automating vulnerability detection in the code can be a good jumping off point, but that will only be the first step in a long journey towards proper open source security. Until these steps are taken, it seems unlikely that organizations will be able to use open source software with any degree of confidence. It is unsurprising that the number of organizations that aren’t confident about open source security and those that don’t have protocols in place overlaps so accurately.
Read next: Most UK Consumers Have Some Worry Or Stress Related To Digital Security, Confirms New Report