A global survey of 400 application developers conducted by Vanson Bourne on behalf of Veracode, a unit of CA Technologies that provides software development lifecycle tools, shines a light on how big an issue cybersecurity has become because of organizations failing to update components. The survey finds only 52 percent of developers using commercial or open source components in their applications update those components when a new security vulnerability is announced.
Pete Chestna, director of developer engagement for the Veracode, says the root cause of the many cybersecurity issues is that developers routinely incorporate libraries into their applications. But, after completing that task, there is no bill of materials that enables development teams or cybersecurity professionals to keep track of when those libraries need to be updated and for what reason. Without that bill of materials, it’s easy to miss a critical update addressing a newly discovered cybersecurity vulnerability, Chestna says.
The survey finds 83 percent of developers are using commercial and/or open source components, with an average of 73 components being used per application. But only 23 percent test for vulnerabilities in components as they are updated, even though there are an average of 71 vulnerabilities per application built using third-party components. Furthermore, the survey finds only 53 percent of organizations keep an inventory of all components in their applications.
The reasons organizations rely so much on open source and commercial software versus writing their own code span everything from best practices (53 percent) and an ability to work faster (51 percent) to being able to access advanced capabilities (47 percent) and company policy (47 percent). Whatever the reason, it’s apparent that more applications are being assembled rather than being developed completely from the ground up.
The top factors considered when selecting modules to be included in an application include functionality (62 percent), performance (48 percent) cost (44 percent), known security vulnerabilities (42 percent) and reliability (40 percent).
Unfortunately, there’s not much in the way of DevSecOps processes spanning the development process. This report shows that development (44 percent) or security (31 percent) teams are most likely to be responsible for the maintenance of third-party commercial and open source components. But the number of organizations that enable developers and cybersecurity teams to work together remains relatively small. A quarter admit (25 percent) admit they don’t even have a formal application security (AppSec) program in place.
On the plus side, more organizations (41 percent) say they are likely to choose DevOps as their IT methodology, which, longer term, should put them in a better position to embrace DevSecOps.
When it comes to open source software, Chestna says that IT organizations would do well to remember that free software is much more akin to a free puppy versus say a traditional gift. Puppies require ongoing food and maintenance that comes at a cost to the owner. When IT organizations elect to employ open source software, they are assuming a set of responsibilities that many of them still don’t fully appreciate, notes Chestna.
Of course, the good news is that it’s lot easier to swap out a module of code than it is to return a puppy.
— Mike Vizard