"Open Source Software Security Begins to Mature"

According to a survey recently published by the software-security firm Snyk and the Linux foundation, companies with an open-source software (OSS) security policy perform significantly better in self-assessed readiness measures. They also tend to have dedicated teams responsible for driving software security. Seven out of ten companies with an OSS security policy believe their application development is highly or somewhat secure. In comparison, only 45 percent of companies that did not implement such a policy believe they are at least somewhat secure. Only about half of firms have an open-source security policy in place to guide developers in using components and frameworks, with a higher proportion of small businesses (60 percent) either having no policies or not knowing if they have one. The report highlights that the economics of security tend to reduce the priority of developing a formal policy for startups and smaller firms. Small organizations tend to have a small IT staff and budget. In addition, the functional requirements of the business often take precedence in order for the business to remain competitive. The main reasons firms did not handle OSS security best practices were a lack of resources and time. The survey also found that different programming languages brought different security considerations. The average time to fix flaws in applications written in .NET, for example, is 148 days, followed by JavaScript. On the other hand, those written in Go had the fastest time-to-patch and were usually corrected in a third of that period. This article continues to discuss key findings from the report on addressing cybersecurity challenges in OSS.

Dark Reading reports "Open Source Software Security Begins to Mature"