Open Source Maintainers Want to Reduce Application Security Risk

After poor documentation, a negative track record for security is the top reason companies do not use an open source technology, according to a survey last year by DigitalOcean. The number of vulnerabilities has soared due to the amount of dependent open source components used in applications. Despite these concerning trends, more than ever before developers think they’re up to the task of being responsible for security.
According to Snyk’s “State of Open Source Security Report 2019,” which surveyed over 500 open source users and maintainers, 30 percent of developers that maintain open source (OS) projects are highly confident in their security knowledge, which is up from 17 percent the year before. In addition, the percentage of OS maintainers that run security audits on their projects has risen twenty percentage points to 74 percent as compared to last year’s survey. Yet, only 42 percent of maintainers are auditing their code at least once a quarter. This is a problem because the goals for development velocity are so much higher than just a few years ago.
The New Stack and Linux Foundation’s survey of open source leaders found that the average development team was releasing code into production at more than two-thirds of companies. Other studies are less optimistic and indicate that only about a quarter of companies have reached that level of speed.
Open source maintainers believe they are very responsive when they hear about vulnerabilities, with 57 percent saying they would address the issue within a day of it being reported. We have our doubts that maintainers are that fast. A Tidelift study found that maintainers have difficulty finding time to work on projects and other studies find that developers are worried they don’t have time to address security properly.
As we reported last week, companies risk overconfidence about their security posture, and Snyk provides evidence that this has found its way to development teams as 81 percent of the survey believed that developers are responsible for security while only slightly more than a quarter acknowledged that a security team is responsible.
Snyk’s chief product officer, Aner Mazur, believes that open source maintainers will happily address security concerns are inhibited by manual, time-consuming methodologies. Adding vulnerability scanning into CI/CD (continuous integration and/or deployment) pipelines is part of the solution. Among those that have continuous integration, 57 percent of survey respondents do say they test for open source dependencies, but 37 percent also say they have no automated security testing during CI.
Mazur explains that Snyk makes it easier for developers to address indirect security vulnerabilities — those that coming not directly from an open source component but instead from one of that component’s dependencies. Snyk is also trying to address the fact that developers already are using too many tools and want to use less, not more of them. Thus, Snyk integrates with IDEs like IntelliJ and version control tools like GitHub, GitLab and Bitbucket to provide alerts within the software developers are already using every day.
When they exist, application security teams and cloud architects have been actively promoting the use of tools like Snyk, which is important because they are the ones who will likely pay for the tools. Now let’s see to what extent developers actually use them.
Context from Other Reports
- Testing During Development Is Still in its Early Days: Only 25 percent of companies conduct automated security testing during code development (Cybersecurity Insiders 2018 Application Security Report). Even among companies that have mature DevOps practices, only 52 percent apply automated application security analysis during development (DevSecOps Community Survey 2018).
- Perceived Risk Is Greater Than Reality: Both public-facing websites and third-party or open source dependencies are both considered risky by 59 percent of information security pros. However, when asked where actual incidents/breaches occurred, survey respondents were almost twice as likely (16 percent) to say websites as opposed to dependencies (9 percent) (“Secure DevOps: Fact or Fiction?”).
- Vulnerability Management Is Time Consuming: Almost 75 percent of developers spend more than 10 hours a month handling open source vulnerabilities (“The State of Open Source Vulnerabilities Management“).

Source: “Secure DevOps: Fact or Fiction?”, a SANS Institute survey sponsored by Veracode. 65 percent of information security pros acknowledge that developers are responsible for actually remediating application security challenges.

Source: “WhiteSource’s “The State of Open Source Vulnerabilities Management“. Almost 75 percent of developers spend more than 10 hours a month handling open source vulnerabilities.
Featured image via Pixabay.