FINAL WORD
Tim Mackey , Principal
Security Strategist , Synopsys Cybersecurity Research Center ( CyRC ) that were either more than four years out of date or had no development activity in the past two years . This speaks to a situation where either the component used was abandoned by the author and associated community , or that when the component was adopted , the origin point for the component wasn ’ t properly vetted to ensure that it was under active development .
a system , meaning that teams reliant upon manual efforts or honour systems are likely one incident away from a major disruption .
Media coverage plays a role in open source risk management
One finding from the research that I find particularly surprising is that 46 % of respondents noted that media coverage around open source issues influences how their organisations manage open source risk . This caught my attention in part because most media coverage of open source issues highlights a headlineworthy component such as a vulnerability in Docker , Kubernetes or Linux , or a headline-worthy victim , such as Equifax . Such high-profile scenarios increase overall awareness of application security issues , but if a business relies on the media as their primary security news feed , then they ’ re exposing themselves to greater risk than necessary . Media , in this regard , is reactionary . The last thing that any business leader wants is negative press stemming from a cybersecurity incident . Embracing security information flows using DevSecOps principals can help development and operations teams keep pace with the constantly evolving threat landscape . Automation of AppSec tooling then provides a prime source of security information about any weaknesses in the software powering a business – but only if that information is shared amongst the teams involved in the lifecycle of that software .
While an argument can be made that for some components they are functionally complete , this is different to being properly secured against the current threat landscape . To properly address this , consumers of open source components need to look at how projects are being sustained ; because if a security issue arises , it can be difficult to get the issue fixed when no-one is looking at the code . Security risks increase when obsolete code is deployed , including the threat of an open source component being hijacked . Such a situation occurred in 2018 when the event-stream component was hijacked to target Bitcoin in Copay accounts . Without policies in place to identify and manage the risks that legacy open source can create , organisations open themselves up to the possibility of issues in the software .
No universally adopted application security testing tool
And one element to support such policies involves tooling . Survey responses note that there is no universally adopted application security testing tool . Responses to the survey questions also indicate that there is no shortage of application security testing tools and techniques . However , even the AST tools with the highest adoption rate is still only utilised by less than half of respondents .
Summing it up
The key to creating secure applications is a cohesive and comprehensive testing process that extends from the beginning of the design phase , all the way through development and into deployment and production . And as the pace of software development and innovation continues to increase , it is important to recognise that open source technologies are part of that success . They enable teams to focus on creating unique and valuable solutions while tapping into domain expertise in areas that aren ’ t core to their business .
A growing problem in the open source community around project sustainability
The 2020 Open Source Security and Risk Analysis ( OSSRA ) report showed that 91 % of codebases audited in 2019 contained open source components
Properly managing that relationship should be a key priority and I find it promising that 63 % of survey respondents reported that they are incorporating some measure of DevSecOps principles into their software development practices . This is certainly a step in the right direction . p
76 INTELLIGENTCIO AFRICA www . intelligentcio . com