The State of Open Source Report 2024

the state of open source

report

Snyk’s annual SOSS report reveals trends in the software industry’s approach to securing open source software (OSS).

The attack surface of modern enterprise technology stacks has expanded significantly over the past decade, driven by trends like microservices, cloud computing, serverless architectures, and complex deployment environments. With heightened app risk, strengthening security practices and hardening supply chains has never been more crucial. The report investigates the current state of OSS, supply chain vulnerability management, and the growing, yet risky, reliance on AI in code development. The survey totaled 453 technologists across application development and security and focused on security practice adoption, technology choices, and the impact of AI-powered coding assistants

Download full report

Security efforts are slowing, reflected in an 11.3% drop in tool adoption and a 17.8% drop in training investment from 2023. Despite 74% of companies setting high-severity vulnerability SLAs at a week or less, 52% miss these targets at least some of the time. This suggests systemic burnout and unrealistic expectations with lagging risk prioritization and security posture management.

Security teams are overwhelmed, with half failing to meet vulnerability management goals.

74%

52%

book a demo

Download full report

SBOM monitoring was adopted by only 62.4% of organizations, while many other essential practices barely crossed the 50% adoption threshold. Even core security practices like Software Composition Analysis and Static Application Security Testing barely exceeded 60% usage, with container scanning at a surprising 35%. Despite rising vulnerabilities, proactive efforts like new tooling adoption in security have decreased by 15% and 11% respectively.

Supply chain security practices remain immature, with no practice used by more than two-thirds of organizations.

62.4%

SBOM

SCA

SAST

61%

Container Scanning

35%

Confidence in AI’s security capabilities is climbing, with many respondents believing AI has improved their code’s safety. Yet, a risky disconnect persists: only 56.1% are concerned about AI-introduced vulnerabilities, and 38.1% report little to no worry. However, 84.1% of respondents still audit AI-suggested open source libraries and packages with the same rigor as human-written code.

77.9% of respondents trust AI to enhance code security but research shows frequent, severe flaws in AI-generated code.

78%

Trust AI Code

56%

concerned about ai code

38%

little-no worry

The OSS community continues to make impressive strides in vulnerability management, consistently outpacing proprietary software in responsiveness. Projects across major programming languages are shortening response times which reflect a strong commitment to security improvement.

Time-to-fix improvements highlight the power of collaborative, transparent security practices in the OSS community.

Why AppSec fatigue is imparting security performance and how to combat it.

Download this year’s report to learn:

The most critical gaps in Supply chain security practices and how to address them

The real risks of AI-generated code and AI-suggested open source libraries and packages, and strategies to manage AI responsibly

Key data on tool adoption trends and where organizations are falling short

How the open source community is outpacing proprietary software in vulnerability response times

Get the full insights and actionable guidance to strengthen your security in 2025.

Download full report