Thursday, 16 November, 2017 UTC


Summary

Today we’re excited to launch the 2017 State of Open Source Security Report! You can download the full report as a free PDF, or visit https://snyk.io/stateofossecurity/ for an overview of the findings.
Open source is awesome and rapidly growing. The more businesses that rely on it for their applications, the more critical it is that we ensure that the components we build and use are secure. The State of Open Source Security Report takes a high-level view of the open source security landscape, zeroing in on where we are today, and we can do to be more secure tomorrow.
The report pulls data from a survey we ran back in September of over 500 open-source users and maintainers (a huge thank you to everyone who responded!), Snyk internal data based on more than 40,000 projects, as well as information published by Red Hat Linux and data we gathered by scanning millions of Github repositories and packages on registries. We worked with the wonderful folks at Sparkbox to get it all put together in a beautiful site and PDF.
The report uncovered a ton of interesting insights. For example, did you know that:
  • Open source library vulnerabilities increased by 53.8% in 2016, while Red Hat Linux vulnerabilities have decreased.
  • The median time from when a vulnerability in a package is first created to when it is disclosed is 2.5 years, but the median time from disclosure to a fix being released is only 16 days.
  • 79.5% of open-source maintainers say that they have no public-facing disclosure policy in place, and those that do are more than three times as likely to have a vulnerability disclosed to them privately.
  • Of 433,000 sites tested, 77% run at least one client-side JavaScript library with a known security vulnerability.
For more data like this, download the full report or visit https://snyk.io/stateofossecurity/.
As we note in the conclusion of the report, securing open source is not something that will happen overnight. But together, with all of us making a concerted effort to take baby steps to improve our security posture, we can improve the state of open source security, and in the process, ensure that it remains a thriving and vibrant ecosystem.