Share

Related Stories

  • Identity and access management in the cloud
    The growing prevalence of shadow IT caused by BYOD and remote working is making an existing security problem much worse: how do you protect an increasing number of passwords used for an increasing number of cloud applications?
  • Big Data to drive massive overhaul in security practices in next 24 months
    As businesses increasingly move to accommodate more devices, applications, partnerships, modes of communication and, of course, customer-centric data, the amount of information they have to contend with is exponentially growing.
  • Enterprise applications management drives significant firewall risks
    Firewalls were initially designed as perimeter gateways to prevent unwanted intrusions to corporate LANs, but a rise in cloud-based and on-premise enterprise applications is driving ongoing firewall changes and increased management requirements. And that, in turn, is opening up the door for a spike in data breaches.
  • Application Forecast: Partly Cloudy
    With the market for cloud-based applications exploding, Stephen Pritchard tells security professionals what they need to know about software-as-a-service
  • Veracode goes large with VAST app security testing for cloud, mobile
    Application security testing company Veracode has launched the Vendor Application Security Testing (VAST) program to provide independent, automated and outsourced compliance testing for cloud, mobile and outsourced applications, to help enterprises reduce the security risks associated with the use of vendor-supplied software.

Top 5 Stories

News

Three-fourths of organizations lack app component policy

01 May 2013

When it comes to developing applications, open-source component use continues to skyrocket. And like operating systems or databases, open-source components represent a rich attack vector for hackers to exploit given their commonality across organizations and applications.

Nearly 80% of the apps that developers are creating are relying on open-source components, in fact. Unfortunately, organizations continue to struggle with establishing policy to secure and govern component use. According to the survey, 76% of organizations have no component management policies in place at all – representing a potentially huge security hole.

The lack of internal controls and a failure to address security vulnerabilities throughout the software development lifecycle threatens the integrity of the software supply chain and exposes organizations to massive, unmanaged risk, according to Sonatype’s third-annual Open Source Software Development survey.

It reveals that organizations are exposed to significant risks caused by their increasing reliance on open-source components. Sonatype said that component flaws are exceedingly common -- more than 70% of applications contain components with known security flaws classified as severe or critical. Everything from Big Data, to cloud and mobile applications, are exposed to unmanaged risk.

While developers are on the frontlines of application security, making choices every day that affect the quality and security of the applications that run the world, the pressure to add more features and put applications into production quickly comes at what the company calls a “devastating tradeoff” – to go fast or be secure. The survey findings suggest an overwhelming desire by developers for a non-intrusive way to proactively identify, govern and fix flawed components throughout the development lifecycle.

It all comes down to how developers, architects and managers balance the need for speed with the need for security. For large enterprises, more than half said that developers don't focus on security at all. Nearly 20% of this group said they know application security is important but they don't have the time to spend on it, while almost one-third deferred responsibility to the security and risk management group entirely.

"Our world runs on software and software runs on open-source components," said Wayne Jackson, CEO of Sonatype. "Securing networks and operating systems is not enough to protect the critical data housed in modern applications. As the frontline of defense, developers must be empowered not burdened. A new approach to security is needed, one that balances speed, quality and risk. By informing component choice, pinpointing flaws early in the software lifecycle and offering flexible remediation options, enterprises can better protect against malicious exploit, maintain developer productivity and avoid downstream rework costs."

While reliance on open-source components increases year-over-year, limitations on the visibility, control and management of their use continues to be a problem. Of those large organizations surveyed (companies with more than 500 developers), an astonishing 76% have no control over what components are being used in software development projects, and even more alarming is that 65% don't maintain an inventory of components used in production applications.

Despite the widespread acceptance of component-based development, 57% of those surveyed lack any policy governing component usage. Organizations with open-source policies in place share that enforcement is a challenge and not a top priority. Developers cite the biggest problem to open-source policy is that it slows development, expectations are unclear or policy is unenforced, and that problems are found too late in the development lifecycle.

The lack of policy enforcement may be due in part to confusion over who owns or is responsible for monitoring and managing open-source usage, Sonatype said. No single, centralized authority governing open source emerged in the organizations that indicated having a corporate policy. Other contributing factors are that large organizations often are unaware that open source is even being used. Open-source standardization is seen more frequently in organizations with less than 500 developers, but that doesn't mean large enterprises aren't using open-source frameworks and components. For developers on large teams, 44% say they are standardizing on an open-source development infrastructure stack, with 33% stating, "It's not our corporate standard, but tons of people use it."

Even organizations with an open-source policy are doing very little to prevent security vulnerabilities from creeping in. Only 25% of respondents, or one in four organizations surveyed, must prove they're not using components with known vulnerabilities. But due to the high volume of dependencies for each component (often tens or 100s) and the frequency of updates and changes (a typical component is updated four times per year), all organizations concede it's near impossible to monitor and maintain accurate component intelligence.

This article is featured in:
Application Security  •  Compliance and Policy  •  Industry News  •  Security Training and Education

 

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×