The open source software-related Equifax data breach was not an isolated incident, and wary businesses have reacted...
with investments in DevSecOps.
Over one-third of businesses have suspected or found security breaches in their software products that contain open source components during the last 12 months. DevOps shops are taking more measures to secure open source code, according to the fifth annual DevSecOps Community Survey.
The just-released survey revealed the impact of open source security failures, such as last September's Equifax security breach. Of survey respondents using DevOps, 73% said high-profile breaches heightened their interest in DevSecOps practices, compared with 45% with no DevOps practice. The 2018 survey's producers were Carnegie Mellon's Software Engineering Institute, Contino, DZone, Ranger4, SJ Technologies, Signal Sciences and Sonatype.
Equifax's failure to secure open source software (OSS) was no anomaly. About 38% of the 2,076 software pros surveyed reported suspected or verified security breaches due to open source component or dependency flaws during the last 12 months, compared with 14% in 2014 and 20% in 2017.
That may be the tip of the iceberg of organizations' weak efforts to secure open source code. Sixty-two percent of survey respondents' companies without DevOps programs do not have meaningful controls over what components are in their applications. And 46,000 organizations downloaded vulnerable versions of Apache Struts -- the OSS that Equifax failed to patch -- or its components in 2017, despite patched versions being available, according to earlier research by Sonatype.
A majority without secure open source code
Many businesses have a naïve trust in the security of open source software. They fund security programs for code they develop, which is often on 10% of their final product, said Mark Curphey, founder of the Open Web Application Security Project and SourceClear, a San Francisco OSS security tools vendor. "So, 90% of the code, which is open source, is walking in the back door with no scrutiny and no checks," he said.
Matt Heussersoftware delivery and test consultant, Excelon Development
Software development today resembles traditional manufacturing processes that rely on standardized parts that flow through managed supply chains, but standardized practices for software development have not kept pace with technology changes. They don't include supplier evaluations, quality inspections, security analysis and traceability of parts that go bad over time. So, new security vulnerabilities or functional bugs are not discovered.
"Developers have lived through the transformation from artisan craftsmanship to modern assembly of software, [but] other IT professionals in their organizations have failed to take notice," said Derek Weeks, vice president and DevOps advocate for survey co-sponsor Sonatype.
DevSecOps to the rescue
DevSecOps teams have taken steps to secure open source code. Of survey respondents that use DevOps, 38% have a complete bill of materials to control all software components. Also, 44% of DevOps organizations use open source governance tools and practices, compared with 19% of those that don't employ DevOps. These governance policies detail specific rules about what open source components are acceptable or unacceptable for use, and weigh attributes such as supplier track records, component age, license restrictions and known security vulnerabilities.
In many organizations, the policies designed to secure open source software are still paper-based and run by teams outside of the development pipeline. The average organization uses over 200,000 open source components annually, so manual reviews by those outside of development simply cannot keep pace. Open source governance teams commonly spend four to 12 weeks to return evaluations to development teams, with three to four hours to evaluate a single component, Weeks said.
To reduce OSS governance reviews turnaround, companies invest in automated open source governance tools that integrate directly into the software development pipelines. "By integrating approvals, warnings or rejections into the developers own tools, decisions can move at the modern pace of development, while also minimizing rework," Weeks said.
Automate, but remember security basics
DevOps organizations also increasingly integrate automated security into their software development and test practices to reduce the burden for large workloads. DevOps groups are 338% more likely to invest there than DevOps-less peers, the survey said.
Consider that a single developer often makes dozens of changes to code a day, all of which must be tested. Then, there's huge pressure to deploy quickly. "So, when security gets in the way of developers, they just bypass it," said Matt Heusser, managing consultant at Excelon Development LLC in Grand Rapids, Mich.
Developers surveyed concur -- they know security is important, but 48% said they didn't have time to spend on it.
The survey reports other ways DevOps organizations support software developers and testers. For example, investments in container and app security tools are more than twice that of those without DevOps. Also, 88% of DevOps users provide security training, while 35% of others have no access to security training.
Heusser is encouraged by the survey's finding that web application firewalls top organizations' list of important app security tools. It's wise for organizations to stick to basics, and legacy practices are often overlooked, he said.
Nevertheless, software pros should always take these industry surveys with a grain of salt, as they often present results that prove sponsoring vendors' claims, Heusser said.