More and more companies are now worried about open source security

Businesses are slowly moving away from open source software, due to growing fears of security risks that come from open source elements, new research has shown.

Virtualization giant VMware recently released a report that states that the number of companies willing to deploy open source software in production environments fell from 95% last year, to 90% this year. 

The two biggest concerns that are forcing companies to look elsewhere are the ability to identify and address vulnerabilities found in open source software. In fact, dependency on the community to address flaws and vulnerabilities is at the top of the list (61%), followed by increased security risks (53%), and the lack of service-level agreements (SLA) for patches from the community (50%). 

Too many tools, manual tasks, and people

To address the issue, businesses would love to see improvements in packaging security, as open source software packaging is essential in securing the supply chain, the report claims.

Apparently, there are too many tools, too many manual tasks, and too many teams working on packaging at most companies, which makes the process sluggish, inefficient and risky.

When asked which software packaging capabilities would improve security, almost two-thirds (60%) would appreciate immediate access to trusted security patches to applications or runtimes, dependencies, and operating system components, while half (55%) want centralized visibility to all scans, as it would simplify security audits. Half (51%) also want to automate CVE and virus scanning for every container.

While open source software remains an indispensable part of every project, this is not the first time questions of security have been raised. Last June, cybersecurity firm Snyk, together with the Linux Foundation, published a report claiming open-source software poses a “significant security risk”.

Based on a survey of more than 550 respondents, as well as data pulled from 1.3 billion open source projects via Snyk Open Source, the report states that two in five (41%) firms are not confident in the security of their open source code.

The average application development project, it was found, has 49 vulnerabilities, as well as 80 direct dependencies. Usually, it now takes 110 days to remedy a vulnerability in an open source project, up from 49 days four years ago.

Go to Source