The average organization uses and implements around 229,000 open source components for developing software. The research was conducted by Sonatype, a provider of software development lifecycle solutions. It manages a central repository of these components for the Java development community. According to the survey, Thirty one billion requests for downloads from the repository in 2015 was made as compared to 17 billion in 2014.
The number “blows people’s minds,” said Derek Weeks, a VP and DevOps advocate at Sonatype. “The perspective of the application security professional or DevOps security professional or open source governance professional is, ‘This really changes the game. If it were 100, I could control that, but if it is 200,000 the world has changed.”
Firm also found certain application security issues related to the use of open source components.
“The application security professional’s usual response to that is ‘that doesn’t mean those vulnerabilities ended up in our applications.’ But when we looked across 25,000 applications we saw an average of 6.8 percent of components across those apps had at least one known vulnerability,” Weeks said. “That tells me that from the beginning of the software supply chain to the end products developed through these supply chains, there isn’t enough control.”
Weeks said that the study was conducted to educate and increase awareness around the massive consumption of open source components.
“By revealing this information, we think we can help change people’s behavior around how they think about and use open source components in wiser, more efficient and safer ways,” he said.
One can also use supply chain best practices to improve application security. Example includes building in quality as early as possible by sourcing fewer and better components.
“From an application security perspective if you are a CISO that has 2,000 developers individually sourcing components, it is very difficult to audit, protect and maintain your organization. If you limit the number of places where components can come in, you can ensure you know what is coming in and can use the opportunity to vet it,” he said. “This is a fundamental supply chain best practice. Toyota has hundreds of thousands of employees but not hundreds of thousands of employees in procurement; the number of employees that is vetting the components in their products is fairly small.”
Weeks also mentioned that managing and vetting open source components is further complicated by the fact there are repositories for different development languages, including PHP, Python and Ruby.
Weeks explained. “You might say, ‘You can’t use any component with a CVSS Level 10 vulnerability anywhere in our organization.’ Your solution can automatically check for that and notify the developer. It’s like a food label on a product on the grocery shelf; it can help make a decision as to whether a component complies with the organization’s standards.”