Falling security levels and stricter framework put a strain on developers
The new Snyk report shows: Growing requirements and inadequate supply chain security are overwhelming teams. Nevertheless, OSS projects have an advantage.
(Image: erstellt mit Dall-E durch iX)
- Robert Lippert
The new State of Open Source Security Report 2024 is available and takes a concerned look at the current trends in software and supply chain security for open source projects.
Publisher Snyk, provider of the developer security platform of the same name, identifies three key points in its document. According to the report, teams are coming under increasing pressure durch increasing security requirements, which means that security measures are implemented less frequently. 52 percent of teams regularly fail to meet their SLA (Service Level Agreement) targets. A combination of stagnating security measures, a lack of resources and growing requirements is also leading to fatigue in terms of application security. According to Snyk, there is a lack of more sustainable security practices to address these challenges.
(Image:Â The State of Open Source Security Report 2024, snyk.com)
Vulnerability to supply chain attacks is also increasing, as many companies are inadequately prepared to secure their supply chains. There is a lack of implementation of modern security practices such as SBOM verification, artifact signing and pipeline protection. For example, only 62.4 percent of companies monitor their SBOMs (Software Bill of Materials). And reliance on outdated approaches increases the attack surface, especially in cloud-native environments.
Videos by heise
Finally, as far as the use of artificial intelligence is concerned, the teams surveyed fear additional security vulnerabilities or licensing issues. False confidence in AI-generated code also plays a role.
Open source software can further expand its strengths over proprietary applications
However, the report also recognizes an encouraging development: the open source community has made significant progress in eliminating critical vulnerabilities and shows a higher overall responsiveness than proprietary software projects.
For the future, the organizers of the survey recommend expanding preventive security measures and improving the security maturity of supply chains in order to efficiently counter future threats. This includes basic security practices, better prioritization in vulnerability management, clear guidelines for the validation and testing of AI-generated code, or advising teams to focus on sustainable measures to avoid burnout.
The report is based on information from around 450 respondents from the application development and security sector, based in the USA, Canada and the United Kingdom. The 12-page document is available for download upon registration.
(mho)
