Need for Developer-Focused Security Soars as Security Vulnerabilities Almost Double in Two Years, Snyk Report Reveals
Snyk's annual State of Open Source Security Report reveals increasing vulnerabilities in open source libraries and a growing need to equip developers to take on more security responsibility
LONDON, Feb. 26, 2019 /PRNewswire/ -- Snyk, the leading solution for automatically finding and fixing vulnerabilities in open source libraries, released its annual State of Open Source Security Report for 2019 today. The study finds rapid growth in disclosed vulnerabilities and reports an increase of 88 percent in application library vulnerabilities, almost double as compared to two years ago. Of the open source projects that contain vulnerabilities, the report found that 78 percent exist in indirect dependencies and not those intentionally pulled in by developers. Indirect dependencies make finding and fixing vulnerabilities significantly more complex and time-consuming.
Given the increase in the number of open source vulnerabilities and the complexity of fixing them, there is an urgent need for developers to take ownership of their application security. According to the report, more than 80 percent of developers indicated they believe they should be responsible for the security of their open source code. Yet, only 30 percent rate their own security knowledge as "High," confirming a knowledge gap in their ability to effectively own security during the development process.
"The report highlights that the biggest challenge that open source security faces is the growing volume of vulnerabilities and the complexity of fixing indirect vulnerabilities found in open source dependencies," said Guy Podjarny, Founder and CEO of Snyk. "As application development becomes faster and more business critical, it's important that developers consuming or creating open source embed security tooling and practices into their existing development workflows."
According to Gartner, by the year 2020, more than 50 percent of companies will use container technology, up from less than 20 percent in 2017. Snyk's report demonstrates that alongside this growth, many organizations are still struggling to tackle container security, revealing that vulnerabilities in RHEL, Debian and Ubuntu rose four-fold in 2018, as compared to 2017. Snyk's research also found that of the top ten most popular default Docker images, each one of them contained at least 30 vulnerable system library versions. The official Node.js image has the most, shipping an image with 580 vulnerable system libraries installed.
Additionally, the report finds that 44 percent of Docker image scans had known vulnerabilities for which there are newer and more secure base image upgrades available.
The annual State of Open Source Security Report published by Snyk is comprised of data gathered in a recent survey of hundreds of open source developers and maintainers; data from public application registries, library datasets, and GitHub repositories; and Snyk's comprehensive vulnerability database, which is continuously pulling in data from hundreds of thousands of projects monitored and protected by Snyk.
Other notable highlights from the report include:
Application Security Responsibility
- Security tool adoption is clearly lacking with only 35 percent of respondents confirming they use a dependency management or scanning tool to help surface vulnerabilities.
- Almost half of open source maintainers (48 percent) learn about vulnerabilities in their code only when someone else opens a public issue.
Open Source Security
- In 2018, disclosures for Packagist, the public PHP package repository, grew by 56 percent; and Maven Central grew by 27 percent. Although Golang is a smaller ecosystem, its security research reported 52 percent growth in new vulnerabilities discovered in 2018.
Fixing Vulnerabilities
- 84 percent of open source maintainers state they are likely to respond to a security issue in less than a week. Only 22 percent of respondents said they can address a reported incident within a few hours.
- Developers, on the other hand, who are the consumers of open source projects, still need to adopt these fixes and new releases to secure their applications.
However: - almost a third of respondents (27 percent) state they often don't ever find out about vulnerabilities in their dependencies, increasing risk and slowing down remediation.
- 37 percent of open source developers don't implement any sort of security testing during CI.
- Of the libraries analyzed in the report, the quickest time-to-fix from when the vulnerability existed in the source code was just over 9 months. The median time-to-fix was almost 2.5 years, showing that it takes a long time to surface and fix vulnerabilities in open source environments.
Click here to download the 2019 State of Open Source Security report.
About Snyk
Snyk is a developer-first security solution that helps organizations use open source and stay secure. Snyk is the only solution that seamlessly and proactively finds and fixes vulnerabilities and license violations in open source dependencies and Docker images. The Snyk solution integrates its comprehensive proprietary vulnerability database maintained by its expert security research team in Israel and London. With tight integration into existing developer workflows, source control (including GitHub, BitBucket, GitLab), and CI/CD pipelines, Snyk enables efficient security workflows and reduces mean-time-to-fix.
To learn more or to sign up for free, visit https://snyk.io/
SOURCE Snyk
Related Links
WANT YOUR COMPANY'S NEWS FEATURED ON PRNEWSWIRE.COM?
Newsrooms &
Influencers
Digital Media
Outlets
Journalists
Opted In
Share this article