Snyk Blog

Announcing the 2017 State of Open Source Security Report

Written by:
Tim Kadlec
Tim Kadlec

November 16, 2017

0 mins read

Check out our new Open Source Security Report 2020. This report reflects on open source security concerns in 2020, trends in vulnerabilities across packages and container images.

Today we’re excited to launch the 2017 State of Open Source Security Report! You can download the full report as a free PDF.

Open source is awesome and rapidly growing. The more businesses that rely on it for their applications, the more critical it is that we ensure that the components we build and use are secure. The State of Open Source Security Report takes a high-level view of the open source security landscape, zeroing in on where we are today, and we can do to be more secure tomorrow.

The report pulls data from a survey we ran back in September of over 500 open-source users and maintainers (a huge thank you to everyone who responded!), Snyk internal data based on more than 40,000 projects, as well as information published by Red Hat Linux and data we gathered by scanning millions of Github repositories and packages on registries. We worked with the wonderful folks at Sparkbox to get it all put together in a beautiful site and PDF.

The report uncovered a ton of interesting insights. For example, did you know that:

  • Open source library vulnerabilities increased by 53.8% in 2016, while Red Hat Linux vulnerabilities have decreased.

  • The median time from when a vulnerability in a package is first created to when it is disclosed is 2.5 years, but the median time from disclosure to a fix being released is only 16 days.

  • 79.5% of open-source maintainers say that they have no public-facing disclosure policy in place, and those that do are more than three times as likely to have a vulnerability disclosed to them privately.

  • Of 433,000 sites tested, 77% run at least one client-side JavaScript library with a known security vulnerability.

As we note in the conclusion of the report, securing open source is not something that will happen overnight. But together, with all of us making a concerted effort to take baby steps to improve our security posture, we can improve the state of open source security, and in the process, ensure that it remains a thriving and vibrant ecosystem.

Snyk Top 10: Vulnerabilites you should know

Find out which types of vulnerabilities are most likely to appear in your projects based on Snyk scan results and security research.

See the report
Patch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo SegmentPatch Logo Segment

Snyk is a developer security platform. Integrating directly into development tools, workflows, and automation pipelines, Snyk makes it easy for teams to find, prioritize, and fix security vulnerabilities in code, dependencies, containers, and infrastructure as code. Supported by industry-leading application and security intelligence, Snyk puts security expertise in any developer’s toolkit.

Start freeBook a live demo

Product

What is Snyk?Snyk Code (SAST)Snyk Open Source (SCA)Snyk ContainerSnyk Infrastructure as CodeSnyk AppRisk (ASPM)Developer Security PlatformApplication securitySoftware supply chain securitySecure AI-generated code DeepCode AIPricingDeployment optionsIntegrationsIDE pluginsGit SecurityCI/CD pipelines securitySnyk CLISnyk LearnSnyk for JavaScript

Resources

DocumentationSnyk API DocsAPI statusDisclosed vulnerabilitiesSupport portal & FAQ’sBlogSecurity fundamentalsResources for security leadersResources for ethical hackersVulnerability DatabaseSnyk OSS AdvisorSnyk Top 10VideosCustomer resources

Company

AboutCustomersCareersEventsSnyk for governmentPress kitSecurity & trustLegal termsPrivacyFor California residents: Do not sell my personal informationWebsite Terms of Use

Connect

Book a live demoContact usSupportReport a new vuln

Security

Application SecurityContainer SecuritySupply Chain SecurityJavaScript SecurityOpen Source SecurityAWS SecuritySecure SDLCSecurity postureSecure codingEthical HackingAI in cybersecurityCode CheckerPythonEnterprise CybersecurityJavaScriptSnyk With GitHubSnyk vs VeracodeSnyk vs Checkmarx

© 2024 Snyk Limited
Registered in England and Wales

logo-devseccon