>
Companies are slowly moving away from open source software, amid growing fears about security risks posed by open source elements, new research shows.
Virtualization giant VMware recently released a report stating that the number of companies looking to deploy open source software in production environments has fallen from 95% last year to 90% this year.
The two biggest concerns forcing companies to look elsewhere are the ability to identify and address vulnerabilities in open source software. In fact, the community’s reliance on addressing bugs and vulnerabilities tops the list (61%), followed by increased security risks (53%) and the lack of service-level agreements (SLA) for community patches (50% ).
To address this issue, companies would like to see improvements in packaging security, as open source software packaging is essential for securing the supply chain, the report states.
Apparently, most companies have too many tools, too many manual tasks and too many teams working on packaging, making the process slow, inefficient and risky.
When asked which software package capabilities would improve security, nearly two-thirds (60%) would appreciate immediate access to trusted security patches for applications or runtimes, dependencies, and operating system components, while half (55%) would like centralized visibility of all scans, as it provides security audits. would simplify. Half (51%) also want to automate CVE and virus scanning for each container.
While open source software remains an indispensable part of any project, this isn’t the first time security questions have been raised. Last June, cybersecurity firm Snyk, along with the Linux Foundation, released a report claiming that open source software poses a “significant security risk.”
Based on a survey of more than 550 respondents and data from 1.3 billion open source projects through Snyk Open Source, the report states that two in five (41%) companies do not trust the security of their open source assets. code.
The average application development project, it turned out, has 49 vulnerabilities, as well as 80 direct dependencies. It normally now takes 110 days to fix a vulnerability in an open source project, compared to 49 days four years ago.