Companies are slowly moving away from open source softwareNew research shows, due to growing concerns about security risks that come from open source components.
default The giant VMware recently released a report indicating that the number of companies wanting to deploy open source software in production environments has fallen from 95% last year to 90% this year.
The two biggest concerns that are forcing companies to look elsewhere are the ability to identify and address vulnerabilities in open source software. In fact, reliance on the community to address flaws and vulnerabilities tops the list (61%), followed by increased security risks (53%), and a lack of Service Level Agreements (SLAs) for patches from the community (fifty percent).
To address this issue, companies want to see improvements in packaging security, as open source software packaging is essential to securing the supply chain, the report claims.
Apparently, there are too many tools, too many manual tasks, and too many teams working on packaging in most companies, making the process slow, inefficient, and risky.
When asked about the capabilities of software packages that would improve security, nearly two-thirds (60%) would appreciate immediate access to reliable security patches for applications or runtimes, dependencies and OS components, while half (55%) would like a central view of all scans, because it would Simplify security audits. Half (51%) also want to automate CVE and anti-viral screening for each container.
While open source software remains an indispensable part of every project, this isn’t the first time that security questions have been raised. Last June, cybersecurity firm Snyk, in conjunction with the Linux Foundation, published a report claiming that open source software poses a “significant security risk”.
Based on a survey of more than 550 participants, as well as data from 1.3 billion open source projects via Snyk Open Source, the report indicates that two out of five companies (41%) are not confident in the security of their open source code.
The average application development project was found to have 49 vulnerabilities, as well as 80 direct dependencies. Normally, it now takes 110 days to address a vulnerability in an open source project, up from 49 days four years ago.