Centre for Internet & Society

Open-source software (OSS) components are largely assumed to be secure due to their open nature. However, that is not always the case. Of late, there has been an increased incidence of software supply-chain issues, with some industry reports estimating a 300% increase in attacks that exploit existing vulnerabilities between 2020 and 2021.
This report by Centre for Internet and Society surveys technical stakeholders to determine how they select OSS components to use in their projects and how they think broadly about the security of the projects they create.

Highlights:

  • 90% of respondents work in companies with a dedicated team responsible for the security of software. 80% of them do not carry out any further security checks on an OSS once it has been approved for use by their security teams.
  • 80% of respondents see comprehensive documentation as an important factor when selecting an OSS for use.
  • 70% of respondents report validating dependencies in their selected open-source software component.
  • 50% of respondents consider how actively an open-source software is maintained before selecting it for their projects.
  • 40% of respondents do not anticipate accidental exploitation of vulnerabilities or expect malice from bad actors when they create software.
  • 30% of respondents report not doing any post-release maintenance on the OSS component used and deployed.
 

Click to download the full report

Filed under:
The views and opinions expressed on this page are those of their individual authors. Unless the opposite is explicitly stated, or unless the opposite may be reasonably inferred, CIS does not subscribe to these views and opinions which belong to their individual authors. CIS does not accept any responsibility, legal or otherwise, for the views and opinions of these individual authors. For an official statement from CIS on a particular issue, please contact us directly.