A new survey finds that not only do a majority of the audited open source code bases have security vulnerabilities, but that companies take weeks to apply patches to seal them off.
The findings, part of a survey conducted by the Synopsys Cybersecurity Research Center (CyRC), are even more shocking considering that it already takes several years for most security vulnerabilities to be fully disclosed.
The survey reports that 51% of the respondents said it takes two to three weeks for them to apply an open source patch. Even worse, at 24%, a smaller but significant number of respondents take up to a month, even when the patch addresses a critical issue.
Laxity in patching
The report surveyed 1500 IT professionals working in cyber security, software development, software engineering, and web development in several countries.
It acted as a follow up to the 2020 Open Source Security and Risk Analysis (OSSRA) report – which discovered that 75% of examined codebases contained open source components with known security vulnerabilities.
“It’s clear that unpatched vulnerabilities are a major source of developer pain, and ultimately business risk,” said Tim Mackey, principal security strategist of the Synopsys Cybersecurity Research Center.
Running outdated code
The survey also found widespread discovery of outdated or abandoned open source components in commercial code.
A staggering 91% of codebases audited contained open source components that were either more than four years out of date or had no development activity in the past two years.
“This is likely tied to the fact that only 38% are using an automated software composition analysis (SCA) tool to identify which open source components are in use and when updates are released,” notes Mackey.
Considering that only around 47% of the respondents said they defined standards around the age of open source components they use, Mackey hypothesized that the other organizations are probably employing manual processes to manage open source.
