We’re excited to bring Transform 2022 back to life on July 19th and virtually July 20-28. Join AI and data leaders for sensible conversations and exciting networking opportunities. Register today!
Today, Snyk and the Linux Foundation released a state-of-the-art security report that examines the security risks of widespread use of open source software.
One of the most shocking findings from the report was that 41% of organizations do not have high confidence in their open source software security. At the same time, only 49% of organizations said they have a security policy for OSS development or use.
The report comes amid growing concerns about the security of open source software following the devastation of the Log4Shell zero-day vulnerability, which led to the White House Open Source Security Summit II, which brought together organizations including Amazon, Google and Microsoft. To improve open source security.
Lack of security readiness is catching the orgs
For enterprises, a key trend from the report is the lack of capacity in organizations to secure open source supply chains. For example, the researchers found that the average application development project has 49 vulnerabilities and 80 direct dependencies.
In addition, the time taken by organizations to fix vulnerabilities in open source projects has increased from 49 days in 2018 to 110 days in 2021.
At the heart of the challenge of securing open source software is the fact that there are tremendous differences in the level of maintenance between each project.
“Open source is a huge landscape and a huge church. For every huge project like Linux kernel or Cubernets that are developed by people working for companies, there are thousands of many smaller projects, “said Matt Jarvis, director of developer relations at Snyk.
“Many of these developers can maintain software in their spare time, and focus on trying to provide features to users with little time and resources available for security issues,” Jarvis said.
Providers securing open source supply chains
In this environment, Jarvis recommends that organizations begin scanning source code for open source solutions, open source dependencies, container images, and vulnerabilities, and reduce them to reduce the risks to the organization as a whole.
Snyk currently provides solutions to automatically identify vulnerabilities in code, using security intelligence, and ranks as one of the leading open source supply chain security providers.
Just last year, Snyk reported that it had raised $ 530 million as part of the Series F funding round and achieved a valuation of $ 8.5 billion.
Of course, Snyk is not the only solution provider that has set its sights on minimizing vulnerabilities in the software supply chain. It also competes with SonarQube against competitors such as SonarSource that offer code analysis to identify whether there are errors or vulnerabilities in the developer code that could put the organization at risk.
Earlier this year, Sonarsource announced that it had raised 412 million and raised 4.7 billion. Other competitors in the market include DevSecOps and code quality analysis tools such as Sonatype and Dependabot, which offer automatic dependency updates.
The main difference between tools like Snyk comes from dependency monitoring approaches that help ensure the security of third party code rather than code review tools like SonarQybe which focus on helping developers improve the quality of the code.
Venturebeat’s mission Digital Town Square is about to become a place for technical decision makers to gain knowledge about the changing enterprise technology and practices. Learn more about membership.