Security breaches linked to open source software components have risen by 71% over the past five years, as securing applications continues to be a challenge for many organizations, according to Sonatype.
The DevOps automation firm has been running its global DevSecOps Community Survey for several years now, with 5,558 IT professionals responding to the 2019 edition.
It found that a quarter (24%) suspected or had verified a breach related to open source components in their web applications, up from 14% in 2014.
Open source components comprise 80-90% of enterprise applications today, used by developers to speed time-to-market. However, a Sonatype study from 2018 revealed that as many as one in eight of these components downloaded in the UK contained known security vulnerabilities.
The firm has also claimed that in the second half of 2018, over 10,000 organizations — including 65% of the Global Fortune 100 — downloaded the flawed component that led to the Equifax breach.
Manual processes and a dearth of built-in security controls mean many developers miss these key vulnerabilities, as they rush products out to market.
This chimes with another key finding of the new survey: nearly half (48%) of respondents claimed security is a priority, but they don’t have enough time to spend on it. The figures haven’t budged much from last year (48%) and the year before (50%).
However, it wasn’t all bad news: 81% of those with so-called “elite” DevSecOps programs in place had a cybersecurity response plan, dropping to 62% for those not running such programs.
A majority (62%) of elite organizations also have open source governance programs in place, but this needs to extend to all firms, according to Sonatype VP, Derek Weeks.
“At a time when developers are under pressure and unable to find sufficient time to spend on security, the need for automated application security testing becomes even more apparent,” he added.
“The DevSecOps community has shown us that elite organizations are performing significantly less manual work, boosting efficiencies, simultaneously helping them to improve their cybersecurity capabilities, and better prepare for security incidents as they arise.”