"Less Than Half of Organizations Have Open Source Security Policy"

Security researchers at the Linux Foundation have discovered that over two-fifths (41%) of organizations do not have confidence in their open source security, with only 49% claiming to even have a policy.  The study was co-sponsored by Snyk, and findings were compiled from interviews with 550 open source stakeholders and by using Snyk’s technology, which scanned over 1.3 billion open-source projects.  The researchers stated that the use of open source repositories to accelerate time-to-market is widespread in the developer community but can expose organizations to covert risks if these components contain malware or vulnerabilities.  The researchers found that the average application development project contains 49 vulnerabilities spanning 80 direct dependencies.  The researchers noted that these challenges are often compounded by the presence of indirect dependencies.  Some 40% of all vulnerabilities were found in these transitive dependencies.  Worryingly, only 18% of respondents said they are confident in the controls they have in place for their transitive dependencies, and just a quarter said they’re even concerned about the security impact of their direct dependencies.  The researchers also found that open source teams are struggling to meet a growing requirement to find and patch these bugs: the time taken to fix open source vulnerabilities is almost 20% longer than in proprietary projects.  It lengthened from 49 days in 2018 to 110 days last year.  The researchers stated that this could be because of staff shortages: 30% of organizations without an open source security policy said that no one on their team is currently addressing open source security directly.  The researchers stated that the findings clearly show the risk is real, and the industry must work even more closely together in order to move away from poor open source or software supply chain security practices.

 

Infosecurity reports: "Less Than Half of Organizations Have Open Source Security Policy"

Submitted by Anonymous on