|
ynopsys has released the
S report , DevSecOps Practices and Open Source Management in 2020 . Produced by the Synopsys Cybersecurity Research Centre ( CyRC ), the report highlights the findings from a survey of 1,500 IT professionals working in cybersecurity , software development , software engineering and web development . The report explores the strategies that organisations around the world are using to address open source vulnerability management , as well as the growing problem of outdated or abandoned open source components in commercial code . Open source plays a critical role in today ’ s software ecosystem . The overwhelming majority of modern codebases contain open source components , with open source often comprising 70 % or more of the overall code . Yet paralleling the growth of open source use is the mounting security risk posed by unmanaged open source . In fact , according to the 2020 OSSRA report , 75 % of the codebases audited by Synopsys contain open
|
source components with known security vulnerabilities . To combat this situation , respondents to the survey cite identification of known security vulnerabilities as the number one criterion when vetting new open source components .
“ It ’ s clear that unpatched vulnerabilities are a major source of developer pain and ultimately business risk ,” said Tim Mackey , Principal Security Strategist of the Synopsys Cybersecurity Research Centre . The DevSecOps Practices and Open Source Management in 2020 report highlights how organisations are struggling to effectively track and manage their open source risk .”
“ Over half – 51 % – say it takes two to three weeks for them to apply an open source patch ,” Mackey continued . “ This is likely tied to the fact that only 38 % are using an automated software composition analysis ( SCA ) tool to identify which open source components are in use and when updates are released . The remaining organisations are probably employing
|
manual processes to manage open source processes that can slow down development and operations teams , forcing them to play catch up on security in a climate where , on average , dozens of new security disclosures are published daily .”
Other noteworthy findings in the report include :
• DevSecOps is rapidly growing worldwide . A combined 63 % of respondents reported that they are incorporating some measure of DevSecOps activities into their software development pipelines .
• There is no universally adopted application security testing ( AST ) tool . As the responses to the survey questions indicate , there is no shortage of application security testing tools and techniques . However , even the AST tool with the highest adoption rate is still only utilised by less than half of respondents .
• The media plays an important role in open source risk management . 46 % of respondents noted that media coverage had prompted their organisation to apply more stringent controls on open source usage .
• 47 % of respondents are defining standards around the age of open source components they use . A growing issue in the open source community is project sustainability . A 2020 Synopsys study showed that 91 % of codebases audited in 2019 contained open source components that either were more than four years out of date or had no development activity in the past two years . Security risks increase when obsolete code is deployed . u
|
intelligent SOFTWARE SECURITY |
www . intelligentciso . com
|
61
|