The rising popularity of open source components doesn’t automatically make them the right choice
Open source software packages with millions of downloads cannot be blindly trusted to deliver on security, despite their popularity.
That’s according to the State of the Software Supply Chain report, released by Sonatype today, which revealed that while open source (OS) components can help improve the security of software, not all are created equally.
The report, which surveyed 36,000 OS project teams, was produced in collaboration with Gene Kim, IT Revolution, and Dr Stephen Magill, Galois, to objectively examine both the OS project teams and 3.7 million OS releases.
It revealed one clear truth – the rate of OS components being used in software writing is rapidly expanding.
According to the figures, there was a 75% increase in the use of OS software components in the years 2017 to 2019.
There was also an increase in the supply – 21,448 new OS components were released every day since the beginning of 2018.
The Sonatype team came up with a hypotheses – OS projects are likely to have better security if they are popular, have less dependencies to keep track of, have a bigger team behind them, release updates faster, use continuous integration, and are supported by an OS foundation or commercial entity.
While some of their preconceived ideas were, to some degree, found to be true – for example, the top 20% of teams by size were found to update their dependencies 50% faster – not all correlated.
For example, the popularity of an OS component does not always reflect how secure it is.
“It has long been believed that in the realm of open source development, ‘with more eyeballs, all bugs are shallow’,” Derek Weeks, vice president at Sontaype tells The Daily Swig.
“In other words, the more popular open source components were, the fewer bugs or vulnerabilities they might have.
“Our research into popularity of components in this year’s report distinctly shows that developers should not select components based on popularity alone.
“While many of the best quality open source components are popular, not all popular open source projects release improvements or remediate vulnerabilities frequently.
“Some of the most popular components may take 200 days or more, on average, to release new updates or remediate known security vulnerabilities.”
Velocity does not have to come at the cost of reduced security, Weeks urged, though other factors often need to be first set in place.
“We found that exemplary open source project initiatives benefit tremendously from higher code commit, release frequencies, and to some extent larger development teams,” Weeks said.
He added: “We also saw that managed software supply chains are definitely safer. In fact, we measured a 55% reduction in the use of vulnerable open source components [when] companies managed their open source software supply chains.”
Some consideration should be given to the fact that open source projects are often handled by teams of volunteers, who therefore might not have the time or resources to regularly maintain their dependencies.
This reality continues to fan the flames of the long-disputed debate on whether open source is actually more secure than closed source.
“The question is no longer about open source or closed source being more secure. Today, both [open and closed software] are equally assembled using open source software components,” Weeks said.
“… not all open source software components are created equal,” he added.
Instead of focusing on whether to build on open source or closed source, Weeks suggests that developers should seek out components that demonstrate a commitment to updating quickly and regularly.
They should also use a repository manager, update dependencies, use the most recent version, and automate.
“One final thought,” Weeks said. “Put simply, exemplary software development practices that deliver high quality, improved security at high velocity are not rare.
“Exemplars are present today in large numbers, and their practices serve as benchmarks for others to strive for and achieve.”
RELATED Acid test: open source vs closed