The widespread adoption of open source components to power enterprise applications has no doubt helped organisations increase their efficiency, but a lack of oversight over security credentials of such components is seriously endangering organisations’ cyber security.
Last year, in an expert opinion published by TEISS, Derek Weeks, VP and DevOps Advocate at Sonatype, said that the adoption of open source components by the software industry flew in the face of Cyber Security by Design, a concept championed by the government to ensure companies were introducing cyber security in their products at the design stage in order to make the practice of building security into their devices less complicated.
“Shipping known vulnerable software components in one’s product in any other manufacturing industry would be considered gross negligence. Connected toys and smartwatches, however, are only the tip of the iceberg. No other manufacturing industry is permitted to ship known vulnerable or defective parts in their products. Why should software manufacturers be any different?” he wrote.
“If we factor in products such as connected pacemakers and driverless cars, this turns into a life or death situation. This isn’t even taking into account the increasingly connected nature of heavy manufacturing and utilities – industries that affect everyday life and have a huge impact on everyone no matter who they are or where they work,” Weeks added.
8.8% of open source components have known security flaws
Earlier this week, Sonatype released its latest State of the Software Supply Chain Report which revealed that at least 21,000 out of 248,000 open source components downloaded by British business in 2018 had a known security flaw and that 30 percent of these vulnerabilities are deemed to be critical, posing a serious risk to the security of software.
As a result, almost 1 in 4 organisations (24%) in the UK either confirmed or suspected that they suffered data breaches related to open source components and open source related breaches increased by 71 percent over the past five years. This indicates that even though the share of flawed components reduced from one in ten in 2018 from one in eight a year before, hackers are still targeting such components to gain access to enterprise networks.
Sonatype also noted in its report that at least fifteen events took place in 2018 that indicated a new attack pattern for malicious code injection within open source software supply chains.
“We have long advised business that they should rely on the fewest open source components suppliers with the best track records in order to develop the highest quality and lowest risk software,” said Wayne Jackson, CEO of Sonatype.
“For organisations who tame their software supply chains through better supplier choices, component selection, and use of automation, the rewards revealed in this year’s report are impressive. Use of known vulnerable component releases was reduced by 55%,” he added.
New coding practices are reducing OSS related cyber security risks
The demand and availability of open source components are such that 12,000 enterprises surveyed by Sonatype downloaded an average of 313,000 components, the demand for Java components rose by 68 percent year-over-year to 146 billion download requests and 21,448 new open source releases are made available to developers every day.
According to Sonatype, enterprises that adopted new code development practices dramatically reduced their cyber security risk and improved software supply chain management has also reduced the number of vulnerable downloads in 2018.
Software supply chain automation has also helped enterprise development teams to reduce the use of vulnerable open source components by 55%, increased the use of automated tools to manage open source dependencies, and has improved the ability of enterprise development teams to proactively remove problematic or unused dependencies.