New security concerns for the open-source software supply chain
Open-source software is a critical element of the software supply chain in companies of all sizes, but there are new security concerns for the open-source software supply chain – calling for better approaches to packaging security, according to VMware.
Top-level findings from The State of the Software Supply Chain: Open Source Edition 2022, show that OSS is clearly fulfilling stakeholder expectations for cost efficiency (76%), increased flexibility (60%), and developer productivity (52%).
Despite this, notable concerns and risks have reduced the number of companies that are willing to deploy open-source software in production environments this year from 95% to 90%. Two of the top three OSS concerns involve security, specifically the ability to identify and address vulnerabilities.
- Dependency on the community to patch bugs and fix vulnerabilities tops the list at 61% up from 56% last year
- This is followed by increased security risks (53% vs 47% last year) and lack of SLAs for patches from the community (50% vs 42%)
OSS packaging (the process of adapting OSS so it can be useful internally) is essential to ensure the security of the OSS supply chain. However, it has become a significant source of complexity and concern. The report finds too many tools, too many manual tasks, and too many teams are involved in packaging OSS at most companies, holding them back from securing their software supply chains efficiently.
When asked about software packaging capabilities that would improve security, respondents said:
- 60% would like immediate access to trusted security patches for applications or runtimes, dependencies, and operating system components
- 55% want centralized visibility to all scans to simplify security audits
- And 51% want to automate CVE and virus scanning for every container
To improve this in the next year, companies should therefore simplify the packaging process to make it more efficient, and consider giving responsibility for packaging to a single team, automating tasks, and consolidating packaging tools.