Companies that have an open source software (OSS) security policy in place tend to perform much better in self-assessed measures of readiness. They also tend to have dedicated teams in charge of driving software security, according to a survey published on June 21.
The survey -- published by software-security firm Snyk and the Linux Foundation on Tuesday -- found that seven out of 10 companies that have an OSS security policy in place consider their application development to be highly or somewhat secure. Comparatively, just 45% of companies that failed to institute such a policy consider themselves at least somewhat secure.
Open source software has significant benefits for application development, but companies also have to recognize and prepare for the downsides, says Matt Jarvis, director of developer relations for Snyk.
"While open source is a proven mechanism for innovation and building high-quality software, it's becoming somewhat a victim of its own success in that its ubiquity has made it a target for supply-chain attacks," he says. "Companies need to build a stronger understanding of both the mechanisms by which open source works, and this includes governance as well as code, and strengthen their approach to supply chain management through adopting developer-first security tooling and methodologies."
Smaller Firms Lag in OSS Policies
Overall, only about half of firms have an open source security policy in place to guide developers in the use of components and frameworks, with a greater number of small companies, 60%, either having no policies or not knowing whether they have one, according to the report.