Researchers discover lack of confidence in state of open-source security 

Today, Snyk and The Linux Foundation released the State of Open Source Security report, which examined the security risks of the widespread use of open-source software. 

One of the findings from the report was that 41% of organizations don’t have high confidence in their open-source software security. At the same time, only 49% of organizations said they had a security policy for OSS development or usage. 

The report comes amid growing concerns over the security of open-source software following the havoc wreaked by the Log4Shell zero-day vulnerability. It led to the White House Open Source Security Summit II, where organizations including Amazon, Google and Microsoft came together to commit to improving open-source security. 

Lack of security preparation is catching up with orgs 

For enterprises, one of the key trends from the report is that there is a lack of ability among organizations to secure the open-source supply chain. For example, researchers found the average application development project has 49 vulnerabilities and 80 direct dependencies. 

In addition, the time organizations take to fix the vulnerabilities in open-source projects has also significantly increased from 49 days in 2018 to 110 days in 2021.  

At the heart of the challenge of securing open-source software is the fact that there is a tremendous variation in the level of maintenance between each project. 

“Open source is a huge landscape and a broad church. For every huge project like the Linux Kernel or Kubernetes which are developed in the main by folks working for companies, there are hundreds of thousands of much smaller projects,” said Matt Jarvis, the director of developer relations at Snyk. “Many of these developers may be maintaining the software in their spare time, and are focused on trying to provide features to users, with little time and resources available for security issues.”

The providers securing the open-source supply chain 

In this environment, Jarvis recommends that organizations start defining policies around open-source solutions, scanning open-source dependencies, container images, and source code for vulnerabilities and mitigating them to reduce risks to the organization as a whole. 

Snyk currently offers a solution for identifying vulnerabilities in code automatically, through the use of security intelligence, and occupies a place as one of the main open-source supply chain security providers. 

Just last year, Snyk reported it had raised $530 million as part of a series F funding round and achieved an $8.5 billion valuation. 

Of course, Snyk isn’t the only solution provider that’s set its sights on mitigating weaknesses in the software supply chain. It’s also competing against competitors like SonarSource with SonarQube, which offer code analysis to identify if there are bugs or vulnerabilities in developer code that could put the organization at risk. 

Earlier this year, SonarSource announced it had raised $412 million in funding and achieved a valuation of $4.7 billion. Other competitors in the market include DevSecOps and code quality analysis tools like Sonatype, and tools like Dependabot, which offer automated dependency updates. 

Snyk claims its main differentiator comes down to dependency monitoring approaches that help to ensure the security of third-party code. This is different from code review tools like SonarQybe which focus on helping developers to improve the quality of code they produce themselves.