According to a new survey[1] by Sonatype, IT professionals are reporting an increase in security breaches in Open Source software.
According to the survey, breaches tied to open source software components increased 71% over a five-year period.
It could be interpreted in many ways. Is Open Source more insecure than proprietary software? Are more hackers targeting open source? It’s none. Open Source, by design, is more secure than proprietary software.
The blame of these breaches lies in companies like Equifax that fail to keep their software updates. Open Source software is known for patching any security hold and release fixes immediately, but ‘consumers’ of open source lack best practices to keep their stack update and then try to put the blame on Open Source.
The fact is, open source, like any other software, is prone to bugs. Bugs are part of the software development process. However, the open source development model makes it extremely easy for users to patch any such holes without having to rely on the vendor.
Another interpretation is that there is an increase in breach not because open source is becoming more insecure, but because more and more companies are now using open source without actually adopting best practices that they should.
The survey quoted Jonas Manalansan, a cybersecurity engineer of Northrup Grumman, “Successful DevSecOps projects are able to bring security into the DevOps processes without slowing them down. All in all, DevSecOps delivers reduced cost, reduced development churn, and reduced application attack surface, which delivers higher ‘security and higher confidence to the organization’.”
So, in a nutshell, there is no increase in breaches related to open source, there is an increase in the adoption of open source and these users must embrace best practices.