As enterprises have increased their reliance on applications over the years, there has been a significant rise in the use of reusable software components such as third-party libraries and open source code. This makes perfect sense, as this development method makes it possible to add value to applications and other software offerings quickly and easily. After all, why reinvent the wheel when supposedly well-tested and proven software components are readily available?
As a result, open source code has become a vital part of software development for most organizations. Today, nearly 70% of every application is comprised of reusable software components, including open source software. At one time, open source software was considered too risky for commercial use. That is not the case today, however, as even major corporations are making use of open source components to innovate and deliver applications to market rapidly.
While enterprises have gotten very good at using open source to speed the application development process, they have not yet figured out how to do so without inadvertently introducing vulnerabilities into their code. This is due in part to the fact that as more enterprises increase reliance on applications, they fail to implement application security into the software development life cycle. Consequently, as the adoption of open source software continues to grow, the likelihood of applications inheriting vulnerabilities is higher than ever before.
This is evidenced by the fact that, according to my company’s research, unpatched library vulnerabilities make up 21% of all application vulnerabilities, by far the most of any type. In fact, nearly 20% of the inquiries we answer are related to unpatched libraries, which is almost on par with injection vulnerabilities.
That is why it is imperative for development teams to stay up-to-date with open source library maintenance and updates.
Software Composition Analysis
The right way for organizations to track their open source components is through a set of technologies known collectively as software composition analysis (SCA). These technologies, which arose out of a need to automate the open source management process, provide organizations with visibility into their open source inventory. This allows them to identify third-party and open source components integrated into their applications.
Using SCA, organizations can determine easily if any of their applications are relying on a vulnerable library, if any libraries are out of date and whether licensing is legal/proper. SCA helps them identify multiple types of risk introduced by third-party and open source components. These can include known vulnerabilities, intellectual property risk and technical debt related to component age.
It’s important to remember the use of open source software code is not a problem in and of itself. On the contrary, it has been an essential part of the recent innovations in software development, and, in fact, it is no riskier than proprietary or commercial off-the-shelf offerings.
Problems arise only when organizations fail to be proactive in identifying and managing security and license risks associated with open source code. This may occur in part because it is assumed that, as with commercial software, updates, patches and information are pushed to the user. But that’s not the case in the open source world, where the onus is on the user to keep track of these things.
It takes diligence, but in the end, the only way to mitigate both the security and legal risks associated with your open source code—and to fully realize its benefits—is to track every piece of it. Today, SCA is the proven way to help you do that. By incorporating SCA into the development process, developers can capture inherited vulnerabilities early enough to prevent them from being introduced. Of course, it should go without saying, but it’s not enough to just find vulnerabilities; you also must fix them. The most typical remediation is replacing vulnerable components with the non-vulnerable ones.
Considering most application code is now open source, and attackers are going after vulnerabilities in open source more than ever before, SCA should not be an afterthought. It needs to be an integral part of any organization’s application security and secure DevOps processes.
— Joseph Feiman