fbpx

Week Three Featuring Research From Forrester: How to Make Open Source Software Work For You

DevSecOps Quick Start

Publish Date

Jun 26, 2020

Written by

ZN Logo for Blog

ZeroNorth

Tagged with

  • DevSecOps Quick Start

Open source software (OSS) continues to grow in popularity and remains a key part of application development. The advantages of using open source code are fairly obvious—its free, ready-made and customizable, and it allows teams to get software to market faster, which is a critical differentiator in today’s rapidly changing world. But when OSS is not properly managed, it can become a significant source of risk—from licensing, to security and to the overall quality of your software.

According to a recent report by Synopsys, nearly every one of the 1250+ codebases audited by the company contained open source components. And 70% of the code in those codebases was also open source, 75% contained OSS vulnerabilities and a whopping 91% contained OSS components with no development activity over the past four years[1].

It’s clear that OSS will continue to grow in usage as the speed of development continues to accelerate. So, in our third blog on Forrester’s The State of Application Security 2020 industry report, we discuss the security implications of using OSS.

Scary Stats to Demonstrate Risk

The primary security problem with using OSS components boils down to a failure to maintain—patch and update—the code, which leaves it highly vulnerable. According to the Forrester report, there was an increase of nearly 50% in the number of reported OSS vulnerabilities over 2018. Moreover, OSS vulnerabilities impact container security too, with the top Docker images having tens or even hundreds of vulnerabilities!

Here’s another problem. Updates and patches for OSS vulnerabilities aren’t published in one centralized repository. This means a flaw in one library can potentially impact hundreds of thousands of applications—and create additional opportunities for cyberattackers. Managing security (and compliance) of OSS can, therefore, become an operational nightmare. But tracking and taking inventory of all the vulnerabilities, patches and updates related to OSS is not easily done. So, where does that leave us?

Use the Right Tools—Effectively

According to the Forrester report, this is where Software Composition Analysis (SCA) tools can play a critical role. SCA tools can be incorporated early in the SDLC to identify and track open source vulnerabilities and provide actionable steps developers can immediately take to implement recommended fixes with less effort. Moreover, they provide visibility into OSS, essentially offering an inventory of your open source usage.

Additionally, SCA will complement the other tools in your security scanning arsenal such as:

  • SAST: Static application security testing looks for vulnerabilities inside your code
  • Container management tools detect misconfigurations within container images and software vulnerabilities within the container itself
  • DAST: Dynamic application security testing detects vulnerabilities by testing an application from the outside, as it’s running
  • IAST: Interactive application security testing provides in-application vulnerability analysis along with functionality
  • Cloud configuration tools assess an AWS account for misconfigurations and exploitable vulnerabilities

Time to Embrace Automation

Scanning helps identify and address vulnerabilities early in the software development lifecycle (SDLC) with SCA tools identifying flaws and vulnerabilities in OSS and custom code. But while effective, the use of these scanning tools leads to a lot of data. And time-strapped teams racing to produce new applications often view this data as burdensome. Why? Because understanding and correlating information from the different scanning tools and prioritizing fixes requires considerable effort and time—something teams have in short supply.

Further, time spent sorting through data doesn’t always get you to the right solution for your specific business. Organizations need a way to orchestrate their scanning tools and automatically pinpoint vulnerabilities that are critical to their specific business, in both open source and proprietary code.

Remove the Management Complexity to Improve Security

This is something we often hear in our own conversations with ZeroNorth customers. More and more security and development teams want to incorporate orchestration and automation into their application security strategy to quickly find the vulnerabilities in both open source and proprietary code, and to remove the complexity associated with managing them.

The ZeroNorth platform helps makes vulnerability data manageable and effective. It orchestrates the scanning tools used throughout the SDLC and automatically correlates and dedupes all the vulnerability data from multiple tools to remove unnecessary noise and create single units of remediation work for developers that are prioritized by business risk. With ZeroNorth security and business executives gain visibility into the overall security posture and a single source of truth for security risk, while developers get correlated, optimized vulnerability data for both proprietary and open source code that works with, rather than disrupts, their SDLC tools and processes.

[1] Source: 5 key takeaways from the 2020 Open Source Security and Risk Analysis report


eBooks & Research Reports

Research Report: The Journey to True DevSecOps

Many questions emerge as the topic of DevSecOps is volleyed about. First, confusion exists in terms of understanding what it actually means to get to true ...

Read Now

Videos

Application Security: Bridging the Gap Between DevOps and Security Teams

When AppSec and DevOps teams aren’t aligned on how to deliver secure software, fast, organizations are at risk. This video discusses how to tackle this challenge ...

Watch Now

Related Articles

DevSecOps

Need an AppSec Program Fast? Get with the Platform!

By Joanne Godfrey Jun 3, 2021

With software now at the heart of both business and life, the need for application security (AppSec) has never been more critical. If your software is ...

Read More

Cyberattacks

It’s Time to Stop Waiting for Application Security to Find You

By ZeroNorth Jun 5, 2020

If software is the gooey center of the business world, what can we do to harden it? As a CISO, business manager, industry professional or anyone ...

Read More

The ZeroNorth DevSecOps platform offers options for your DevSecOps journey—getting started with AppSec, finding enterprise visibility or fully integrating security into DevOps.