Manage Open Source Risk but keep Engineers Empowered

One of the major challenges faced by developers is to create a unique, customized, and compelling customer experience quickly. As a result, they no longer write all their own code to solve every problem. Instead, they assemble, configure, and automate their code and often rely on common open source components to quickly add application functionality.  

One recent study showed a 21% year-over-year increase in the average number of open source components across the study’s evaluated codebase. However, these same critical open source components continue to present a risk to businesses. 

The State of Open Source Consumption 

According to the latest report written by Gordon Haff, a technology evangelist at Red Hat, on the State of enterprise open source, “95% of respondents say open source is strategically important.”  

The survey of 950 IT leaders was commissioned by Red Hat to better understand the unique role of enterprise open source. Interestingly, the respondents are unaware that Red Hat was the sponsor of this research. 

As part of this survey, “77% of respondents agree enterprise open source will continue to grow. They believe that the growth of open source software will come at the expense of proprietary software. Respondents cite security and cloud management tools as top uses of enterprise open source.” 

The benefits they believe to attain from enterprise open source are –  

• Higher Quality Software 
• Lower total cost of ownership 
• Better security 
• Designed to work in cloud, cloud-native tech 
• Ability to safely leverage open source tech 

The report further adds, “63% of IT leaders have a hybrid cloud infrastructure today. Among those who don’t, 54% plan to have one within the next 24 months. And 83% of IT leaders say enterprise open source has been instrumental in their organization’s ability to take advantage of cloud architectures.” 

The common perception is that hybrid cloud architectures and enterprise open source will enable digital transformation. 

The Risk involved with Open Source 

Open Source Security refers to the risks developers and security teams are facing today when running third-party, open source code in their applications, and the processes, methodologies, and tools they are deploying to mitigate them.  

Recent attacks exploiting vulnerabilities in open source code have exacted huge costs from enterprises, highlighting the criticality of Open Source Security and the need to execute and monitor related security strategies. 

Open source risk is growing exponentially. Senior Infosec Architects need a 360-degree view of application security issues across the custom code and open source components before it is pushed through to the QA team. 

• 80% of application code comes from open source libraries 
• 62% of organizations do not have any control over what components are used in their applications 
• 31% of organizations experienced a breach related to vulnerable open-source components 

Open source is powering the digital transformation we are witnessing today and is used by companies of all sizes, across all industry verticals. Yet it also comes with risks. Developers are pulling in vast amounts of open source dependencies without any security control or visibility. 

Acknowledging these risks is an important first step but should be followed up with investment and maintenance of a well-articulated Open Source Security plan that includes continuous security testing and monitoring. 

Why Software Composition Analysis is a ‘Must Have’ 

Software Composition Analysis, commonly referred to as SCA, is a segment of the application security testing (AST) tool market that deals with managing open source component use. Today’s software products rely heavily on open source components.  

Forrester states that, “1 in 8 open source components contain a known security vulnerability. Unfortunately, Security & Development teams are struggling to find and fix them without slowing down development. In order to keep up, your company needs the right SCA solution.” 

One of the main functions of Software Composition Analysis tools is to identify open source components with known vulnerabilities. Good SCA solutions will not only tell you what open source libraries have known vulnerabilities, they will also tell you whether your code calls the affected library and suggest a fix when applicable. The solution should also identify open source libraries in your code base that need to be updated or patched. 

Ideally, the SCA customers may look for providers that – 

• Advise developers about how to remediate vulnerabilities 
• Create consistent policies across different business units and application types 
• Report on strategic risk for security professionals and CISOs 

How can we solve the problem? 

To address the current threat landscape, one need not strive for perfection but should keep moving forward. There is a need for enterprises to adopt a mature SCA security model that includes detection, prioritization, and remediation. By having a matured SCA security model, the security professionals and developers can focus on other priorities. 

As put forth by Gartner analyst Neil MacDonald, “Perfect security is impossible. Zero risk is impossible. We must bring continuous risk and trust-based assessment and prioritization of application vulnerabilities to DevSecOps.” 

A mature SCA tool may include technologies that prioritize open source vulnerabilities. Enterprises can prioritize these open source vulnerabilities by automatically identifying the security vulnerabilities that present the bigger risk.  

After prioritization, it is equally imperative to remediate these vulnerabilities automatically. Based on the security vulnerability policies triggered by vulnerability detection & severity, automated remediation workflows can be initiated. A good SCA solution helps you keep your open source components continuously patched to avoid being exposed to known vulnerabilities. 

The main challenge in today’s complex digital world lies in securing your application. With the right Software Composition Analysis solution, you are one step closer to mitigating your open source risk.  

Cigniti invites you to join an interesting webinar where Rajesh Sarangapani, Head of Innovation & Practice at Cigniti will be joined by Mitun Zavery, Director Pre-Sales Engineering, Sonatype to discuss how enterprises need to secure not just the code they write, but also the code they consume from open source projects. The session will help the attendees understand the state of open source consumption and the risks involved with it. They will also get an understanding on why Software Composition Analysis is a ‘must have’ and how can the open source challenges be dealt with. 

Register for the webinar and save your spot to listen to some interesting insights on Feb 24th, 2021.  

Being a global leader in independent quality engineering services, Cigniti is a strong advocate of Quality Assurance and its implementation right from the early stages of the software lifecycle. We encourage customer feedback and believe in including such feedback in our broader testing approach. We take great measures to ensure that we are fully equipped with state-of-the-art services and have partnered with other experts that specialize in providing testing services. Talk to us.