Security News > 2020 > December > Open Source Does Not Equal Secure

Open Source Does Not Equal Secure
2020-12-03 17:21

GitHub launched a deep-dive into the state of open source security, comparing information gathered from the organization's dependency security features and the six package ecosystems supported on the platform across October 1, 2019, to September 30, 2020, and October 1, 2018, to September 30, 2019.

In comparison to 2019, GitHub found that 94% of projects now rely on open source components, with close to 700 dependencies on average.

Most frequently, open source dependencies are found in JavaScript - 94% - as well as Ruby and.

On average, vulnerabilities can go undetected for over four years in open source projects before disclosure.

Open source means that the code is available for security evaluation, not that it necessarily has been evaluated by anyone.


News URL

https://www.schneier.com/blog/archives/2020/12/open-source-does-not-equal-secure.html