What’s the State of Open Source Security? Don’t Ask.

AUSTIN, TEX. — How safe is the open source software that virtually every organization uses? You might not want to know, according to the results of a survey released by The Linux Foundation and Snyk, a cloud native cybersecurity company, at the foundation’s annual Open Source Summit North America, held here in June.

Forty-one percent of the more than 500 organizations surveyed don’t have high confidence in the security of the open source software they use, according to the research. Only half of participating companies said they have a security policy that addresses open source.

Furthermore, it takes more than double the number of days — 98 — to fix a vulnerability compared to what was reported in the 2018 version of the survey.

The research was conducted at the request of the Open Source Security Foundation (OpenSSF), a project of The Linux Foundation. For this On the Road episode of The New Stack Makers, Steve Hendrick, vice president of research at The Linux Foundation, and Matt Jarvis, director of developer relations at Snyk, were interviewed by Heather Joslyn, features editor at TNS.

Despite the alarming statistics, Jarvis cautions against treating all vulnerabilities as four-alarm fires, our guests said.

“Having a kind of zero-vulnerability target is probably unrealistic, because not all vulnerabilities are treated equal,” Jarvis said. Some “vulnerabilities” may not necessarily be a risk in your particular environment. It’s best to focus on the most critical threats to your network, applications and data.

One bright spot in the new report: Nearly one in four respondents said they’re looking for resources to help them keep their open source software — and all that depends on it — safe. Perhaps even more relevant to vendors: 62% of survey participants said they are looking to use more intelligent security-focused tools.

“There's a lot from a process standpoint that they are responsible for,” said Hendrick. “But they were very quick to jump on the bandwagon and say, we want the vendor community to do a better job at providing us tools, that makes our life a lot easier. Because I think everybody recognizes that solving the security problem is going to require a lot more effort than we're putting into it today.”

Jumping on the ‘SBOM Bandwagon’

Many organizations still seem confused about which of the dependencies the open source software they use has are direct and which are transitive (dependent on the dependencies), said Hendrick. One of the best ways to clarify things, he said, “ is to get on the SBOM bandwagon.”

Understanding an open source tool’s software bill of materials, or SBOM, is “going to give you great understanding of the components, it's going to give you usability, it's going to give you trust, you're gonna be able to know that the components are nonfalsified,” Hendrick said.

“And so that's all absolutely key from the standpoint of being able to deal with the whole componentization issue that is going on everywhere today.

Additional results from the research, in which core project maintainers discussed their best practices, will be released in the third quarter of 2022. Listen to the podcast to learn more about the report’s results and what Linux Foundation is doing to help upskill the IT workforce in cybersecurity.