According to a survey conducted by Sonatype, open source components are a major factor in application creation, but their security leaves something to be desired. Sonatype surveyed 3,500 developers, architects and managers from 50 countries about their use of open source components and their approaches to the security of those components. Respondents include people from Netflix, LinkedIn, Facebook, Disney, GE, Ebay and other major companies (25% of respondents come from organizations with more than 500 developers).
Overall, the study found that we’re getting better at paying attention to the security of open source components, but we still have a long way to go.
- 57% of companies don’t have an official policy regarding the use of open source
- 32% said there are no standards regarding open source use – each developer/team chooses their own components
- When there is an open source policy, it’s not always enforced (31% said that the biggest challenge with their company’s policy is that there is no enforcement)
- 47% of policies say that developers must avoid known vulnerabilities. Only 24% make developers prove they are not using components with known vulnerabilities
- 61% of developers dismiss or overlook security for one of three reasons – they believe security is not their responsibility, they know it’s important but feel they don’t have time to address it, or it’s simply something they’re not focused on
- 45% of organizations don’t keep an inventory of the open source components they use
Get more stats from Sonatype >>>
In the end, if your application presents a vulnerability or security issue, your users will blame you. They don’t care if the problem is with someone else’s code, they expect you to take the time to make your app secure, no matter how it was developed. So know the open source components you’re using, pay attention to known vulnerabilities and dedicate some time to security testing your mobile app to make sure the entire thing is a secure as possible.