Open Source: It’s All Fun and Games Until Millions of People Have Their Data Stolen
Vulnerabilities in open source software components continue to compromise the security of many enterprise applications.
Join the DZone community and get the full member experience.Join For Free
Photo credit Flickr/Alan Levine
A new survey of 5,558 IT professionals reveals a staggering amount of enterprise-level practices that may very well lead to the next Equifax-type data breach. Published by Sonatype (in partnership with Cloudbees, Carnegie Mellon’s Software Engineering Institute, Signal Sciences, 9th Bit, and Twistlock), the 2019 DevSecOps Community Survey paints a rather unsettling picture of how a large number of enterprises are handling cybersecurity concerns, particularly when it comes to their use of open source components.
“Today, over 85 percent of a modern application is built from open source components as developers chose to download in a second what might take days or weeks to write from scratch,” the survey explains.
The survey also points out, however, that breaches tied to open source components have increased 71 percent over a five-year period, with 24 percent of devs surveyed acknowledging a suspected or confirmed breach of this nature.
While this statistic alone is alarming, putting it into its larger context makes it exponentially so: 2014 was the year of the OpenSSL Heartbleed bug, which led to 4.5 million patients of a hospital group having their names, addresses, social security numbers, etc. stolen by a Chinese hacker group. And then of course there was the Equifax breach in 2017, in which 143 million people had their data compromised when hackers successfully exploited a vulnerability in the Apache Strut framework.
But instead of companies shoring up their security practices en masse, the survey reveals that many are setting themselves up for a repeat of history. Forty-seven percent of companies with mature DevOps practices “do not have meaningful controls over what [open source] components are in their applications,” even as their use – and known vulnerabilities – are on the rise.
And this is not just an issue plaguing DevOps practices, where the need for speed has led to a surge in the use of open source components; only 21 percent of devs surveyed who work in more traditional development environments report that their company has a complete software bill of materials.
It doesn’t take a genius to figure out that without complete records, there will continue to be devastating delays in the patching of open source glitches.
The survey also reveals that almost half of respondents admit to not having enough time to devote to security, even though they understand its importance. While automation services have been shown to help, there ultimately isn’t much devs can do until management has a change of heart and starts taking security more seriously.
Opinions expressed by DZone contributors are their own.