Open source breaches increase 71%

Sonatype has published the findings from its sixth annual DevSecOps Community Survey of 5,558 IT professionals, the largest ever conducted. Developed in partnership with CloudBees, Carnegie Mellon’s Software Engineering Institute, Signal Sciences, 9th Bit, and Twistlock, the survey examined how enterprises implement software development and security practices in the face of accelerating attacks from bad actors.

 

Key findings show that open source breaches have increased by 71% over the last five years, while 26% of companies reported a confirmed or suspected web application breach in the past year alone. This follows last month’s revelation that a hacker exploited a web vulnerability in well-known apps, enabling them to steal 620 million account details, which are now for sale on the dark web.

 

“Underpinning 80 - 90% of an enterprise application, open source components have played an instrumental role in driving innovation and accelerating time to market,” Weeks continued. “But with as many as 50% of downloaded components containing a known vulnerability, it is critical that organisations implement proper software governance to ensure they’re building quality - and security - into their applications from the beginning.”

 

Despite being proven to improve cyber security capabilities, 41% of executives admitted their company doesn’t follow an open source governance programme.  This latest revelation follows earlier Sonatype research, which showed that over 10,000 organisations - including 65% of the Global Fortune 100 – downloaded the flawed component that led to the Equifax breach in the last six months of 2018.  Further external research revealed that in October 2018, 51% of JavaScript downloads in October contained a known vulnerability, further demonstrating the scale of the challenge.

 

However, the findings also demonstrate that progress is being made, and DevSecOps practices are helping companies to bolster their cyber security capabilities. Of the organisations surveyed, 81% of those with elite DevSecOps programmes had a cyber security response plan in place, versus 62% of those without; elite DevSecOps companies are also three times more likely to provide application security training. Other key results show that 62% of respondents with elite programmes have an open source governance programme in place, versus just 25% of those without DevOps practices.

 

“Key DevOps principles including: continuous learning via collaboration, automation (CI/CD), infrastructure as code, and monitoring, help ensure effective and timely responses to any breach”, said Hasan Yasar, Technical Manager and Adjunct Faculty Member for Carnegie Mellon’s Software Engineering Institute. “We must all recognize security is a living thing and organizations should be prepared to prevent and respond to breaches at any moment within their application lifecycle. It is difficult to imagine proper cybersecurity hygiene and sufficient preparations for a breach without DevSecOps in place.”

 

Other results highlighted the resourcing challenges facing businesses, and showed that little progress has been made. For the third year in a row, almost half (48%) of developers stated they believe security is a priority, but don’t have enough time to spend. In parallel, 50% of respondents using cloud infrastructure rely on the cloud provider to deliver security instead of managing themselves,

 

“At a time when developers are under pressure and unable to find sufficient time to spend on security, the need for automated application security testing becomes even more apparent,” concluded Weeks. “The DevSecOps community has shown us that elite organizations are performing significantly less manual work, boosting efficiencies, simultaneously helping them to improve their cyber security capabilities, and better prepare for security incidents as they arise.”