Open source software (OSS) continues to grow in popularity and remains a key part of application development. The advantages of using open source code are fairly obvious—its free, ready-made and customizable, and it allows teams to get software to market faster, which is a critical differentiator in today’s rapidly changing world. But when OSS is not properly managed, it can become a significant source of risk—from licensing, to security and to the overall quality of your software.
According to a recent report by Synopsys, nearly every one of the 1250+ codebases audited by the company contained open source components. And 70% of the code in those codebases was also open source, 75% contained OSS vulnerabilities and a whopping 91% contained OSS components with no development activity over the past four years.
It’s clear that OSS will continue to grow in usage as the speed of development continues to accelerate. So, in our third blog on Forrester’s The State of Application Security 2020 industry report, we discuss the security implications of using OSS.
Scary Stats to Demonstrate Risk
The primary security problem with using OSS components boils down to a failure to maintain—patch and update—the code, which leaves it highly vulnerable. According to the Forrester report, there was an increase of nearly 50% in the number of reported OSS vulnerabilities over 2018. Moreover, OSS vulnerabilities impact container security too, with the top Docker images having tens or even hundreds of vulnerabilities!
Here’s another problem. Updates and patches for OSS vulnerabilities aren’t published in one centralized repository. This means a flaw in one library can potentially impact hundreds of thousands of applications—and create additional opportunities for cyberattackers. Managing security (and compliance) of OSS can, therefore, become an operational nightmare. But tracking and taking inventory of all the vulnerabilities, patches and updates related to OSS is not easily done. So, where does that leave us?
Use the Right Tools—Effectively
According to the Forrester report, this is where Software Composition Analysis (SCA) tools can play a critical role. SCA tools can be incorporated early in the SDLC to identify and track open source vulnerabilities and provide actionable steps developers can immediately take to implement recommended fixes with less effort. Moreover, they provide visibility into OSS, essentially offering an inventory of your open source usage.
Additionally, SCA will complement the other tools in your security scanning arsenal such as:
- SAST: Static application security testing looks for vulnerabilities inside your code
- Container management tools detect misconfigurations within container images and software vulnerabilities within the container itself
- DAST: Dynamic application security testing detects vulnerabilities by testing an application from the outside, as it’s running
- IAST: Interactive application security testing provides in-application vulnerability analysis along with functionality
- Cloud configuration tools assess an AWS account for misconfigurations and exploitable vulnerabilities
Time to Embrace Automation
Scanning helps identify and address vulnerabilities early in the software development lifecycle (SDLC) with SCA tools identifying flaws and vulnerabilities in OSS and custom code. But while effective, the use of these scanning tools leads to a lot of data. And time-strapped teams racing to produce new applications often view this data as burdensome. Why? Because understanding and correlating information from the different scanning tools and prioritizing fixes requires considerable effort and time—something teams have in short supply.
Further, time spent sorting through data doesn’t always get you to the right solution for your specific business. Organizations need a way to orchestrate their scanning tools and automatically pinpoint vulnerabilities that are critical to their specific business, in both open source and proprietary code.
Remove the Management Complexity to Improve Security
This is something we often hear in our own conversations with ZeroNorth customers. More and more security and development teams want to incorporate orchestration and automation into their application security strategy to quickly find the vulnerabilities in both open source and proprietary code, and to remove the complexity associated with managing them.
The ZeroNorth platform helps makes vulnerability data manageable and effective. It orchestrates the scanning tools used throughout the SDLC and automatically correlates and dedupes all the vulnerability data from multiple tools to remove unnecessary noise and create single units of remediation work for developers that are prioritized by business risk. With ZeroNorth security and business executives gain visibility into the overall security posture and a single source of truth for security risk, while developers get correlated, optimized vulnerability data for both proprietary and open source code that works with, rather than disrupts, their SDLC tools and processes.