New Report Highlights Gaps In Code Security Practices And Tools

Open source code is an essential component of software today. Many open source tools power applications and systems across industries, and modules or components of open source projects are woven throughout other software code. As open source usage continues to soar, so do security concerns associated with it. To gain deeper insights into the state of open source security, Snyk, a leading security platform, released its much-awaited “2023 State of Open Source Security Report.”

The report, based on an extensive analysis of open source security data, provides a comprehensive overview of the challenges and opportunities that lie ahead for developers and organizations. The Executive Summary of the report notes, “Despite most organizations following some best practices, there are significant gaps in adopting security practices and tooling.”

Supply Chain Security

A blog post from Snyk points out, “Several high-profile attacks have caused an increased focus on supply chain security. Engineering and security teams are also facing pressure from governmental bodies, such as the United States Executive Order on Improving the Nation’s Cybersecurity and the EU’s pending Cyber Resilience Act.”

Despite that heightened focus, though, one of the alarming discoveries of the report is the number of organizations that are not using key software supply chain security tools. Supply chain attacks are increasing prevalent and the broad use of open source code increases the risk of potential supply chain attacks for many organizations. In spite of that, the Snyk report found that only 40% of the organizations surveyed are not using software composition analysis (SCA) or static application security testing (SAST) tools—and even fewer have adopted cloud-native security measures like configuration checks for infrastructure-as-code tools.

I had a chance to speak with Randall Degges, Head of Developer Relations and Community for Snyk, about the report and his thoughts on the findings. He emphasized that there is still a lot of work to be done in terms of securing the open source software supply chain. “So many people are using open source software in every single application, and those dependencies still need a lot of work to be closely monitored for security vulnerabilities.”

Indirect Dependencies

Due to the heightened attention and scrutiny of supply chain risks, most organizations are aware of at least their direct dependencies. However, indirect dependencies—basically the cascading dependencies two or three or more levels down—are often ignored.

The report explains, “Indirect (transitive) dependencies, which might be buried deep inside other open source applications, are hard to monitor. Indirect dependencies are often transient and potentially nested within other indirect dependencies, often several degrees removed from the direct dependency package or library.”

While 92% of those surveyed reported monitoring at least direct dependencies, nearly a third admitted that they are not monitoring indirect dependencies.

Benefits and Pitfalls of AI

Artificial intelligence is not new—but it has been getting a ton of attention this year as companies of all shapes and sizes jump on the generative AI bandwagon. Suddenly there are AI and generative AI tools for almost every imaginable scenario or niche. There are a wide variety of potential benefits to embracing and using AI, but there are definitely some caveats to keep in mind as well.

The use of AI is virtually ubiquitous at this point. More than 90% of the organizations surveyed in the Snyk report say they have deployed some for of code-generating AI tool in their environment. That is where things start to get more complicated, though. While more than three-fourths of respondents expressed optimism that these tools have improved code security, almost 60% are concerned that AI tools will introduce security vulnerabilities into code, and half are concerned that AI might introduce licensing violations.

Degges and I agreed that AI tools are here to stay. He told me that he finds the tools very helpful and can’t imagine going back to not using them. We also talked about the challenges caused by cognitive bias and the tendency for people to simply accept computer-generated answers or assume that content or code generated by AI is more accurate or authoritative by default. He shared some findings from a Stanford study from December of 2022 that found that participants who had access to AI assistance wrote significantly less secure code, while simultaneously being much more likely to believe that the code they produce is secure.

Automating Code Security

The 2023 State of Open Source Security Report by Snyk provides a comprehensive and eye-opening assessment of the current state of open-source security. The TL:DR of the report is that it is increasingly important to streamline and automate code analysis.

Code review can’t be a last step on the checklist. The volume and velocity of code is too overwhelming and with DevSecOps culture the development lifecycle is continuous. The Snyk blog post shared, “A key tenet of supply chain security is empowering developers to spot vulnerabilities earlier in the software development lifecycle (SDLC). This means giving developers the tools and training to code more securely and scan more frequently. These practices improve speed and efficiency in the SDLC as fewer builds are blocked in pre-deployment testing and routed back to developers to fix.”

With the increasing complexity of software supply chains and the rising dependency on AI, developers and organizations must prioritize security efforts to protect their projects from potential breaches. The open source community must continue to collaborate, implement secure development practices, and stay vigilant against emerging threats to ensure a safer and more secure open source environment for all.