Forbes Insights and BMC recently released their second annual security survey, which stated that known security vulnerabilities are still the leading cause of exposure to data breaches and cyber threats.
I was genuinely amazed to hear the surprised feedback from many software security professionals wondering how can that be the case.
Components With Known Security Vulnerabilities Has Become a Top Threat
Just knowing how much software developers rely extensively on open source components, combined with the fact that there are so many vulnerable open source components out there and most developers do not have the right tools to detect it before integrating it into their software, should make the picture very clear to us all.
Even back in 2013, OWASP updated their OWASP Top Ten list to include the risk of using third party components with known vulnerabilities. A lot has changed since then, but only in magnitude. As only recently Forrester reported, third party components account for 80% to 90% of software products’ code and 1 out of 16 open source components has a vulnerability.
You Need to Adapt Your Application Security Strategy
If all recent researchers point out that vulnerable open source components have become a top threat, then how come in over 50% of enterprises no one is responsible for identifying and tracking open source vulnerabilities and remediation?
The fact that the technology to automate the process of finding and fixing open source vulnerabilities in your software exists and it is quite mature baffles me. Is it really just awareness which prevents a higher number of enterprises from adopting this technology?
In addition, this technology is not only available, mature, and quite affordable - it can also alert on problems very early in your software development lifecycle (SDLC) and therefore shift left your entire application security leading to a major time and cost reduction later on.
So How Does This Technology Work?
Open source security tools do not detect vulnerabilities. Open source security vulnerabilities are discovered by the open source community, verified by MITRE (Common Vulnerabilities and Exposures database) or other security advisories and, fortunately, in over 90% of cases fixed by the open source community. That means your developers can detect these risky components before ever adding it to their software.
These tools are identifying the open source components in your build, or other environments, by calculating a digital signature for each file and then cross referencing it with their databases. Once an open source component is identified, it then pulls all relevant information on each component from the database, which includes vulnerabilities impacting this library or file.
The main differentiation between the vendors is their database. Some focus on security vulnerabilities only, while others also provide information on licenses, software bugs, newer versions, suggested remediation paths and more. Another aspect is the accuracy of the database, which is based on how you aggregate the information collected from different sources and your timely response.
Latest Forrester Research Points out to the Answers
Forrester SCA Wave analysis released two weeks ago is reinforcing this trend in application security. The report claims that enterprises are turning to automated tools for detection of components with known vulnerabilities. It goes on to explain that the rate of software development and deployment continue to increase due to market demands, which forces companies to increase their usage of open source companies whether they have the right process in place to deal with the unique challanges of open source components or not.
The report evaluated the top 6 vendors in this field and how enterprises are using these tools to deal with the growing security risk of components with known vulnerabilities. It determined that security professionals’ expectations from these tools, at minimum, are:
- Find & fix vulnerable open source components
- Integrate these tools throughout the software development lifecycle (SDLC), such as your repositories, build tools, CI servers and more and enforce policies automatically in all these environments to block risky component as early as possible.
- Detect & resolve license compliance issues
Needless to say, WhiteSource is immensely proud to be rated as the best product offering in the market due to its superior capabilities of vulnerability identification, policy management, and SDLC integration.
You can download Forrester report here to better understand all 38-criteria evaluation and their conclusions.
What's on the Horizon?
Market demands for faster software releases are unavoidable. Software development and security professionals main challenge these days is to understand how to better meet these requirements with the resources available to them. Open source is a huge part of this equation, but we must not forget about the unique obstacles that come with the usage of open source components.