Developers Failing to Use Secure Open Source Components

Only half of developers using open source components in their software update them to use the most secure version, according to CA Veracode.

The security firm polled 400 app developers from the UK, US and Germany and found just 52% update these components when a new vulnerability is announced.

This could be exposing organizations to serious risks, given the ubiquity of third-party components in modern code. The research revealed that 83% of respondents use either commercial and/or open source components, with an average of 73 used per application.

It’s a widespread practice in DevSecOps as it helps to accelerate time-to-market and improve efficiency, but can lead to flaws sneaking into the code base.

Some 71 vulnerabilities per application are introduced on average through use of third-party components, with only 23% of respondents claiming they test for bugs in components at every release.

“We know that developers care about creating great code, and that means creating secure code,” said Pete Chestna, director of developer engagement, CA Veracode. “In order to be successful, developers need to have clarity on the security policy and the tools to measure against it. When the goal is clear and we give developers access to those tools, they are able to integrate scanning earlier into the software development lifecycle and make informed decisions that take security into consideration. Through this, we see a marked improvement in secure software development and the resulting outcomes.”

The findings chime with separate research from Sonatype, which revealed that one in eight open source components downloaded in the UK last year contained vulnerabilities, a 120% year-on-year increase.

The vendor claimed that 80%-90% of every modern application is made up of open source components, but argued that manual processes and a lack of built-in security controls mean many developers are exposing themselves to unnecessary cyber-risk.

What’s Hot on Infosecurity Magazine?