DevOps May Be Cause of and Solution to Open Source Component Chaos

DevOps is accelerating the trend of componentized development approaches, but its automation can also help enforce better governance and security.

RSA CONFERENCE 2018 – San Francisco – Modern software development is trending more toward a componentized approach because developers would rather assemble something using a variety of well-built pieces of third-party code than reinvent the wheel every time they create something new. The approach has done wonders for speed and agility, but its increasing a lot of enterprise attack surfaces because too few organizations are keeping up with the vulnerabilities these components pose.
A
new study
outlined today at the DevOps Connect event at RSA Conference in San Francisco shows that the threat, or at least the awareness of the threat, is on the rise. A survey conducted by Sonatype among over 2,000 IT pros — with a heavy emphasis on developers — showed that 31% of participants suspect or have verified a breach related to open source components in the last 12 months. Thats more than double the ratio of those answering similarly in 2014.
In some ways, its inevitable that components are drawing more scrutiny than four years ago. High-profile open source vulnerabilities such as Heartbleed and Struts-Shock are forcing this issue into the security consciousness of more organizations. And big breaches caused by components, such as the one at Equifax, emphasize the consequences of ignoring these vulnerabilities.
Unfortunately, that scrutiny isnt necessarily translating into swift, meaningful action to address the problem. The Sonatype study showed that 62% of organizations today still do not have meaningful controls over what components are in their applications. This number may even be on the optimistic side. A different study out last week from Veracode showed that only 23% of organizations test for vulnerabilities in components at every release and just 52% update those components when a security vulnerability in one of them is announced.
Thats startling considering that the Veracode study found that 93% of organizations today utilize open source or third-party components, with an average of 73 components used in these applications. Its clear that this is no niche in development processes — its simply how applications are built today. And given trends in DevOps, the trend is expected to accelerate.
DevOps, in a way, has many parallels to high-velocity manufacturing, and as a part of that were using open source components to be more efficient in that manufacturing, explains Derek Weeks, vice president and DevOps advocate for Sonatype, who went over study findings today.
While thats going to increase the number of components dev teams will use to build their applications, it also introduces a more reliable avenue for imposing some semblance of governance and control over those components.
What theyre doing is introducing tools to manage this massive number of components and parts in the manufacturing process, whether theyre containers moving around, bits of source code moving around, bits of open source components moving around, and build artifacts moving around, Weeks says. They want to be able to release fast and fail fast. If you dont track those parts, its very hard to release fast and then pull it back if you cant trace it.
Security teams should be able to piggyback onto this level of automation thats mostly been imposed for quality reasons to also control security vulnerabilities within source code. At mature DevSecOps teams, thats already happening, according to the Sonatype study.
The research showed that among traditional waterfall development shops that do not adhere to DevOps methodologies, just 58% report having open source governance policies in place. Whats worse, 48% of those non-DevOps shops with a policy say they ignore those policies. So just a sliver of traditional organizations have rules around how components are used and stick to them. Meanwhile, among mature DevOps shops, 77% report having open source governance policies in place. And just 24% of those organizations ignore the policies.
When youre embedding open source governance throughout the development life cycle, automation becomes very difficult to ignore, Weeks explains. Its embedded into the design tools and build tools that youre using, and when its hitting you in the face as a developer, its hard to sidestep.

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industrys most knowledgeable IT security experts. Check out the Interop ITX 2018
agenda here
.
Related Content:
7 Steps to Transforming Yourself into a DevSecOps Rockstar
DevSecOps: The Importance of Building Security from the Beginning
A Secure Development Approach Pays Off

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
DevOps May Be Cause of and Solution to Open Source Component Chaos