Three-fourths of organizations lack app component policy

According to the survey, 76% of organizations have no component management policies in place at all – representing a potentially huge security hole
According to the survey, 76% of organizations have no component management policies in place at all – representing a potentially huge security hole

Nearly 80% of the apps that developers are creating are relying on open-source components, in fact. Unfortunately, organizations continue to struggle with establishing policy to secure and govern component use. According to the survey, 76% of organizations have no component management policies in place at all – representing a potentially huge security hole.

The lack of internal controls and a failure to address security vulnerabilities throughout the software development lifecycle threatens the integrity of the software supply chain and exposes organizations to massive, unmanaged risk, according to Sonatype’s third-annual Open Source Software Development survey.

It reveals that organizations are exposed to significant risks caused by their increasing reliance on open-source components. Sonatype said that component flaws are exceedingly common -- more than 70% of applications contain components with known security flaws classified as severe or critical. Everything from Big Data, to cloud and mobile applications, are exposed to unmanaged risk.

While developers are on the frontlines of application security, making choices every day that affect the quality and security of the applications that run the world, the pressure to add more features and put applications into production quickly comes at what the company calls a “devastating tradeoff” – to go fast or be secure. The survey findings suggest an overwhelming desire by developers for a non-intrusive way to proactively identify, govern and fix flawed components throughout the development lifecycle.

It all comes down to how developers, architects and managers balance the need for speed with the need for security. For large enterprises, more than half said that developers don't focus on security at all. Nearly 20% of this group said they know application security is important but they don't have the time to spend on it, while almost one-third deferred responsibility to the security and risk management group entirely.

"Our world runs on software and software runs on open-source components," said Wayne Jackson, CEO of Sonatype. "Securing networks and operating systems is not enough to protect the critical data housed in modern applications. As the frontline of defense, developers must be empowered not burdened. A new approach to security is needed, one that balances speed, quality and risk. By informing component choice, pinpointing flaws early in the software lifecycle and offering flexible remediation options, enterprises can better protect against malicious exploit, maintain developer productivity and avoid downstream rework costs."

While reliance on open-source components increases year-over-year, limitations on the visibility, control and management of their use continues to be a problem. Of those large organizations surveyed (companies with more than 500 developers), an astonishing 76% have no control over what components are being used in software development projects, and even more alarming is that 65% don't maintain an inventory of components used in production applications.

Despite the widespread acceptance of component-based development, 57% of those surveyed lack any policy governing component usage. Organizations with open-source policies in place share that enforcement is a challenge and not a top priority. Developers cite the biggest problem to open-source policy is that it slows development, expectations are unclear or policy is unenforced, and that problems are found too late in the development lifecycle.

The lack of policy enforcement may be due in part to confusion over who owns or is responsible for monitoring and managing open-source usage, Sonatype said. No single, centralized authority governing open source emerged in the organizations that indicated having a corporate policy. Other contributing factors are that large organizations often are unaware that open source is even being used. Open-source standardization is seen more frequently in organizations with less than 500 developers, but that doesn't mean large enterprises aren't using open-source frameworks and components. For developers on large teams, 44% say they are standardizing on an open-source development infrastructure stack, with 33% stating, "It's not our corporate standard, but tons of people use it."

Even organizations with an open-source policy are doing very little to prevent security vulnerabilities from creeping in. Only 25% of respondents, or one in four organizations surveyed, must prove they're not using components with known vulnerabilities. But due to the high volume of dependencies for each component (often tens or 100s) and the frequency of updates and changes (a typical component is updated four times per year), all organizations concede it's near impossible to monitor and maintain accurate component intelligence.

What’s hot on Infosecurity Magazine?