Announcing the 2017 State of Open Source Security Report
Today we’re excited to launch the 2017 State of Open Source Security Report! You can download the full report as a free PDF, or visit https://snyk.io/stateofossecurity/ for an overview of the findings.
Open source is awesome and rapidly growing. The more businesses that rely on it for their applications, the more critical it is that we ensure that the components we build and use are secure. The State of Open Source Security Report takes a high-level view of the open source security landscape, zeroing in on where we are today, and we can do to be more secure tomorrow.
The report pulls data from a survey we ran back in September of over 500 open-source users and maintainers (a huge thank you to everyone who responded!), Snyk internal data based on more than 40,000 projects, as well as information published by Red Hat Linux and data we gathered by scanning millions of Github repositories and packages on registries. We worked with the wonderful folks at Sparkbox to get it all put together in a beautiful site and PDF.
The report uncovered a ton of interesting insights. For example, did you know that:
- Open source library vulnerabilities increased by 53.8% in 2016, while Red Hat Linux vulnerabilities have decreased.
- The median time from when a vulnerability in a package is first created to when it is disclosed is 2.5 years, but the median time from disclosure to a fix being released is only 16 days.
- 79.5% of open-source maintainers say that they have no public-facing disclosure policy in place, and those that do are more than three times as likely to have a vulnerability disclosed to them privately.
As we note in the conclusion of the report, securing open source is not something that will happen overnight. But together, with all of us making a concerted effort to take baby steps to improve our security posture, we can improve the state of open source security, and in the process, ensure that it remains a thriving and vibrant ecosystem.
Exposed or not, vulnerabilities are dangerous
November 08, 2017Whether a vulnerability is currently exposed or not matters, but only in prioritization. Where its exploitable today or not, leaving it unaddressed is a unnecessarily risky decision.
Subscribe to The Secure Developer Podcast
A podcast about security for developers, covering tools and best practices.
Interested in web security?
Subscribe to our newsletter: