Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Poor Control Over Open Source Component Use Puts Organizations at Risk: Survey

Many software development firms still fail to ensure that the components they use don’t contain security vulnerabilities, according to a report published on Tuesday by software supply chain management company Sonatype.

Many software development firms still fail to ensure that the components they use don’t contain security vulnerabilities, according to a report published on Tuesday by software supply chain management company Sonatype.

One in ten of the roughly 3,300 software developers, architects and application security pros who took part in the survey admitted that an open source component was, or it was suspected of being, the cause of a breach within the last year. The report shows that the OpenSSL vulnerability known as Heartbleed has heightened concerns over open-source related breaches.

This year, 43% of organizations said they don’t have an open source policy, which is a bit better than the previous year when 57% didn’t have one. Of the organizations that do have such policies in place, only 68% follow them, and 78% have never banned the use of an open source component, library or project, the report said.

Concerningly, 38% of the respondents said their open source policy doesn’t address security vulnerabilities, while 41% noted that they only have to avoid known vulnerabilities. Just two out of ten developers have to demonstrate that they’re not using components with known security holes. The lack of enforcement capability has been cited as the main challenge with their open source policy by 41% of participants.

According to Sonatype, most developers don’t track component vulnerability over time. 40% of survey respondents believe that the development department is responsible for tracking and resolving newly discovered vulnerabilities in “production” applications, and only 18% said it was the responsibility of the application security department. Another 18% reported that the task falls into the responsibilities of IT operations.

When asked about their developers’ interest in application security, only 27% of organizations said this aspect is a “top concern,” as opposed to 40% in last year’s survey, which had around the same number of participants.

“Applications are the #1 attack vector leading to breaches, according to the 2014 Annual Verizon Data Breach Investigations Report. That means that if you are not using secure components, you are not building secure applications,” said Wayne Jackson, CEO of Sonatype.  “Our survey clearly shows that most companies completely ignore the problem, and this creates an extraordinary security risk, as the panic over the Heartbleed bug demonstrated. This isn’t a theoretical threat. It’s real, and some very large businesses have admitted to being attacked.”

The complete 2014 State of Open Source Development and Application Security Survey (PDF) is available online.                 

Advertisement. Scroll to continue reading.
Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Protection

The cryptopocalypse is the point at which quantum computing becomes powerful enough to use Shor’s algorithm to crack PKI encryption.

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Artificial Intelligence

The CRYSTALS-Kyber public-key encryption and key encapsulation mechanism recommended by NIST for post-quantum cryptography has been broken using AI combined with side channel attacks.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...