Developers are open to taking increasing responsibility for open source security, according to a report from Snyk. Unfortunately, the report also shows developers are also open about their own security shortcomings.
The research, which combined survey data and information from Snyk’s own security scanning service, shows a surge in key open source ecosystems, with PyPI, for example more than doubling to 14 billion downloads in 2018, and the npm registry clocking up 317 billion downloads for 2018. Docker Inc showed more than 1 billion downloads every fortnight in 2018.
At the same time, more vulnerabilities are showing up across the registries Snyk tracks, with Maven Central vulnerabilities growing 27 per cent, PHP Packagist up 56 per cent, and Golang showing a 52 per cent rise. The figures showed an 88 per cent increase in application library vulnerabilities, double the rate in 2016.
The good news is that both developers and open source project maintainers appear aware of the problem. More than 80 per cent of developers said they should take responsibility for the security of their open source code.
The bad news is that developers and maintainers have a comparatively poor opinion of their own security nous, and are not always proactive in countering that.
Just 35 per cent of respondents said they used a dependency management or scanning tool to spot vulnerabilities, with 27 per cent accepting “I probably won’t” find out about vulns, and 10 per cent relying on their organisation’s security team to tell them. Almost 40 per cent of developers did any automated security testing during CI runs.
When it comes to open source maintainers, just 30 per cent rate their security knowledge as “high” with 63 per cent describing it as medium. Only 21 per cent audit their code once a month or more, with 21 per cent managing an audit “at least once a year” and 26 per cent saying “we don’t”.
Snyk CPO Aner Mazur said that 78 per cent of the vulnerabilities in 500,000 apps scanned came from indirect dependencies. “It means it’s very hard for a developer organisation to really track all the open source components that are being run as part of their open source applications….Doing this manually is just a near impossible task.”
“Many of these open source components, which you’re bringing into your organisation, and not even aware you’re bringing in, are maintained by people with great intentions, but not necessarily high knowledge in security,” said Mazur.
It’s not surprising that the spread of container technology throws up even more issues, with Snyk finding that each of the ten most popular default Docker images containers at least 30 vulnerable system library versions. The official Node.js image ships 580 vulnerable systems libraries. And 44 per cent of Docker image scans showed known vulnerabilities for which there are newer and more secure base image upgrades available.