Poor Control Over Open Source Component Use Puts Organizations at Risk: Survey

Many software development firms still fail to ensure that the components they use don’t contain security vulnerabilities, according to a report published on Tuesday by software supply chain management company Sonatype.

One in ten of the roughly 3,300 software developers, architects and application security pros who took part in the survey admitted that an open source component was, or it was suspected of being, the cause of a breach within the last year. The report shows that the OpenSSL vulnerability known as Heartbleed has heightened concerns over open-source related breaches.

This year, 43% of organizations said they don’t have an open source policy, which is a bit better than the previous year when 57% didn’t have one. Of the organizations that do have such policies in place, only 68% follow them, and 78% have never banned the use of an open source component, library or project, the report said.

Concerningly, 38% of the respondents said their open source policy doesn’t address security vulnerabilities, while 41% noted that they only have to avoid known vulnerabilities. Just two out of ten developers have to demonstrate that they’re not using components with known security holes. The lack of enforcement capability has been cited as the main challenge with their open source policy by 41% of participants.

According to Sonatype, most developers don’t track component vulnerability over time. 40% of survey respondents believe that the development department is responsible for tracking and resolving newly discovered vulnerabilities in “production” applications, and only 18% said it was the responsibility of the application security department. Another 18% reported that the task falls into the responsibilities of IT operations.

When asked about their developers’ interest in application security, only 27% of organizations said this aspect is a “top concern,” as opposed to 40% in last year’s survey, which had around the same number of participants.

“Applications are the #1 attack vector leading to breaches, according to the 2014 Annual Verizon Data Breach Investigations Report. That means that if you are not using secure components, you are not building secure applications,” said Wayne Jackson, CEO of Sonatype.  “Our survey clearly shows that most companies completely ignore the problem, and this creates an extraordinary security risk, as the panic over the Heartbleed bug demonstrated. This isn’t a theoretical threat. It’s real, and some very large businesses have admitted to being attacked.”

The complete 2014 State of Open Source Development and Application Security Survey (PDF) is available online.