How to Tackle Open Source Vulnerabilities While Closing the DevOps/SecOps Gap

Written by

Creating more efficiency in the workplace often involves tearing down silos and increasing cross-functional collaboration to deliver better outcomes.

But this isn’t always as easy as it sounds. In many organizations, security and development teams have a longstanding disconnect stemming from differing responsibilities and competing priorities, coupled with a large communications gap.

The increased pressure has exacerbated this cultural divide that digital transformation has put on the two teams. DevOps is tasked with pushing out products at accelerating speeds, while SecOps is facing increasingly complex threats and an overload of alerts. The result? Both are grappling with overwhelming workloads.

Although DevOps teams understand the importance of securing their work, it is often either an afterthought and/or perceived as a costly delay. The further left in the continuous integration and continuous delivery (CI/CD) pipeline you go, the further SecOps oversight diminishes, making it harder for security teams to identify problems. This is a significant issue for the SecOps teams that own cyber risk, and the miscommunication and obscurity are only worsened by misaligned tooling on both sides.

To combat these problems, security needs to be built in by design.

The Open Source Code Factor

Open source dominates modern applications, making up approximately 80% of application code today. By removing the need to write code from scratch, third-party open-source components, in particular, can rapidly accelerate time-to-market and reduce development costs.

But open source is also a point of growing cyber-risk inside the enterprise, and open source vulnerabilities can be challenging to the already strained DevOps and SecOps relationship. As developers expand their use of open source libraries to take advantage of the flexibility and efficiencies provided, the attack surface expands accordingly. More often than not, security teams are left in the dark as DevOps teams move quickly to build and launch applications.

As most applications are built using multiple open-source libraries, complex component inventories can increase opacity, and reduced visibility creates risk. Open-source vulnerabilities have grown 250% over the past three years, according to research from Snyk. What’s worse, 70% of these vulnerabilities come from indirect dependencies, making them even harder to identify and mitigate. To balance against this, SecOps teams need increased visibility into this unfamiliar and vast ecosystem.

With open source code, visibility for security teams is a major factor in securing an application. Security teams need a solution that not only allows them to identify vulnerabilities, but also communicate them in a common language that makes it simple for DevOps teams to find and fix bugs and patch holes without causing delays or friction.

Aligning SecOps With DevOps

Tools like Trend Micro’s Cloud One can help security teams approach open source security from the ‘right’ of the CI/CD pipeline and embed protection as early as possible in the development process, giving SecOps teams continuous visibility into known risks in their organization’s development ecosystem and projects.

Security teams can monitor and track risks without negatively impacting DevOps teams through automated prioritization of critical issues, including vulnerability and exploit maturity scores. By providing curated information and details about surfaced vulnerabilities, this class of tools can also help SecOps understand how complex dependency paths and transitive vulnerabilities are introduced in a development project. The same insight into hidden dependencies may also help organizations better manage licensing risks across multiple projects.

Ultimately, this enables security teams to report to their CISO with confidence, improve application output quality and mitigate license challenges. It also bridges the communications gap between DevOps and SecOps by helping create a common language. This allows SecOps to become a part of the conversation and help DevOps teams to fix vulnerabilities at the source-code level without friction.

The result is two unified teams working together without silos to deliver a better product. With the right tools to connect SecOps and DevOps seamlessly, improving the security quality of an application, which has traditionally caused setbacks in development time, can now do the exact opposite.

Brought to you by

What’s hot on Infosecurity Magazine?