A recent report found that while open-source software is top of mind for organizations, they fail to apply security patches in a timely manner. The DevSecOps Practices and Open Source Management in 2020 report by the Synopsys Cybersecurity Research Center found 51% of respondents take up to two to three weeks on average to apply an open-source security patch. Twenty-four percent of respondents take about a month, while only 16% provide a fix within a week.

According to the report, this is troublesome because more than 70% of modern codebases today consist of open-source software. Additionally, the report found 75% of codebases with open-source components contain known security vulnerabilities. When asked if addressing a critical open-source patch impacted their software delivery schedule, 52% in the United States and 40% globally responded yes.

RELATED CONTENT: AppSec vs. DevSecOps, and what that means for developers

“It’s clear that unpatched vulnerabilities are a major source of developer pain, and ultimately business risk,” said Tim Mackey, principal security strategist of the Synopsys Cybersecurity Research Center.

Mackey explained that the delayed security response may be due to a lack of tools. Only 38% reported they use a software composition analysis tool to manage and maintain open-source components. “The remaining organizations are probably employing manual processes to manage open source—processes that can slow down development and operations teams, forcing them to play catch-up on security in a climate where, on average, dozens of new security disclosures are published daily,” said Mackey.

The report also found that although there is an abundant amount of security testing tools and techniques available today, there isn’t a universally adopted application security testing tool.

In addition, the report looked at how organizations approach open-source security. About 33% of respondents believe their DevSecOps practices have matured, 30% reported DevSecOps is limited to specific projects and 11% are still trying to figure out how to apply it.

Seventy-two percent of organizations have a policy for open source use and 64% have an open source governance board or individual in charge of open source governance. Top requirements in an open source policy includes acceptable open source licenses, patch and update requirements, and a whitelist or blacklist of components. Top criteria for evaluating open-source components include known vulnerabilities, implementation, familiarity with the community, and releases/patches.

Media coverage was also found to play a critical role in open-source security with 46% of respondents revealing coverage of open-source issues result in more stringent controls on their usage, 45% put open-source management tools in place, and 36% changed the open-source components they were using because of media coverage.

“Organizations are producing and deploying software applications faster than ever before. Ensuring that developers are on board with security practices is even more critical to improving their efficiency. The Forrester report, The State of Application Security, 2020 notes, To meet developer needs, security pros must integrate application security testing tools into the CI/CD pipeline and enable scans to run automatically on check in, build, and integration while also enabling auto remediation to make mitigating security flaws quick and painless.’” the report stated.