One of the most shocking findings from the report was that 41% of organizations lack of confidence don’t have a high lack of confidence in their open-source software security. At the same time, only 49% of organizations said they had a security policy for OSS development or usage.
The report comes amid growing concerns over the security of open-source software following the havoc wreaked by the Log4Shell zero-day vulnerability, which led to the White House Open Source Security Summit II, where organizations including Amazon, Google, and Microsoft came together to commit to improving open source security.
lack of confidence in security preparation is catching up with orgs
For enterprises, one of the key trends from the report is that there is a lack of confidence in the ability of organizations to secure the open-source supply chain. For example, researchers’ lack of confidence found the average application development project has 49 vulnerabilities and 80 direct dependencies.
In addition, the time organizations take to fix the vulnerabilities in open source projects has also significantly increased from 49 days in 2018 to 110 days in 2021.
At the heart of the challenge of securing open source software is the fact that there is a tremendous variation in the level of maintenance between each project.
“Open source is a huge landscape and a broad church. For every huge project like the Linux Kernel or Kubernetes which are developed in the main by folks working for companies, there are hundreds of thousands of much smaller projects,” said Director of Developer Relations at Snyk, Matt Jarvis.
“Many of these developers may be maintaining the software in their spare time, and are focused on trying to provide features to users, with little time and resources available for security issues,” Jarvis said.
The providers securing the open source supply chain
In this environment, Jarvis recommends that organizations start defining policies around open source solutions, scanning open source dependencies, container images, and source code for vulnerabilities, and mitigating them to reduce risks to the organization as a whole.
Snyk currently offers a solution for identifying vulnerabilities in code automatically, through the use of security intelligence, and occupies a place as one of the main open source supply chain security providers.
Just last year, Snyk reported it had raised $530 million as part of a Series F funding round and achieved an $8.5 billion valuation.
Of course, Snyk’s lack of confidence isn’t the only solution provider that’s set its sights on mitigating weaknesses in the software supply chain. It’s also competing against competitors like SonarSource with SonarQube which offer code analysis to identify if there are bugs or vulnerabilities in developer code that could put the organization at risk.
Earlier this year, SonarSource announced it had raised $412 million in funding and achieved a valuation of $4.7 billion. Other competitors in the market include DevSecOps and code quality analysis tools like Sonatype, and tools like Dependabot, which offer automated dependency updates.
The main difference between tools like Snyk comes down to dependency monitoring approaches that help to ensure the security of third-party code rather than code review tools like SonarQybe which focus on helping developers to improve the quality of code they produce themselves.
VentureBeat’s mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Learn more about membership.