Open Source Security Report Highlights Vulnerabilities in Code Dependencies

Snyk and the Linux Foundation have released The State of Open Source Security, a joint research report that details various security risks resulting from the widespread use of open source software (OSS) in application development, including vulnerabilities found in dependencies.

Dependencies are a key component of the software supply chain, but only 24 percent of respondents have confidence in the security of their direct dependencies, according to the report. 

Highlights of the report include:

  • 59% of organizations feel their open source software is either somewhat secure or highly secure.
  • 49% of organizations have an open source security policy in place for open source development and usage.
  • The average application development project has 49 vulnerabilities and 80 direct dependencies (open source code called by a project).
  • The time it takes to fix vulnerabilities in open source projects has increased from 49 days in 2018 to 110 days in 2021.

“While OSS generally has an excellent reputation for security, the communities behind those works can vary significantly in their application of development practices and techniques to reduce the risk of defects in the code,” says Brian Behlendorf, General Manager, Open Source Security Foundation, The Linux Foundation.