One-in-four organisations don’t have faith in open source security according to a report commissioned by cybersecurity firm Snyk and The Linux Foundation.

The findings were based on a survey of more than 550 respondents, as well as data pulled from “1.3 billion” open source projects from Snyk’s Open Source platform.

The report found the average application development project has 49 vulnerabilities and 80 direct dependencies.

In addition, the amount of time it takes to fix vulnerabilities within open source projects increased from 49 days in 2018 to 110 days in 2021 according to the report.

Despite firms recognising the potential dangers of open source security, the research found that less than half - 49 per cent - have a security policy in place for OSS development or usage.

Large firms are even more negligent, according to the report, with the number of firms with a specific open source security policy in place dropping down to 27 per cent among medium and large size companies.

Furthermore, less than a third - 30 per cent - of organisations without an open source security policy are aware of the fact that at the moment, no one is addressing the security of open source software.

“Software developers today have their own supply chains – instead of assembling car parts, they are assembling code by patching together existing open-source components with their unique code,” said Matt Jarvis, director, developer relations at Snyk. “While this leads to increased productivity and innovation, it has also created significant security concerns.”

Share Story: