Open source software (OSS) has become a mainstay of most applications, but it has also created security challenges for developers and security teams, challenges that could be overcome by the growing “left shift” movement. “, according to two studies published this week.
More than four in five organizations (41%) do not have a high level of confidence in their open source security, reveal researchers from Snyk, a security firm for developers, and the Linux Foundation in their Open Source Security Status Report.
He also notes that the time taken to fix vulnerabilities in open source projects has steadily increased over the past three years, from 49 days in 2018 to 110 days in 2021.
The Open Source Debate: Productivity vs. Security
The report, based on a survey of more than 550 respondents, also notes that an average app development project has 49 vulnerabilities and 80 direct dependencies when a project calls open source code. Additionally, the report found that less than half of organizations (49%) have a security policy for developing or using OSS. This figure is worse for medium and large companies: 27%.
“Software developers today have their own supply chains,” says Matt Jarvis, director of developer relations at Snyk. “Instead of assembling auto parts, they assemble code by combining existing open source components with their unique code. While this leads to increased productivity and innovation, it has also created significant security issues. .”
Moving security to the left reveals vulnerabilities sooner
Another survey, the AppSec Shift Left Progress Report— suggests that better OSS security can be achieved by moving security “left” or closer to the beginning of the software development lifecycle. The report, based on the experience of users of ShiftLeft’s Core product, found that 76% of new vulnerabilities were fixed in two sprints.
One of the reasons vulnerabilities are patched so quickly is that they are found quickly. “Every code change a developer makes is analyzed in an average of 90 seconds,” says Manish Gupta, CEO and co-founder of ShiftLeft. “Because the code is still fresh in a developer’s mind, it becomes easier for them to fix the vulnerability.”
The report acknowledged that improvements to its software were not the only reason for improved scan times. “We’ve seen the average app size in terms of lines of code go down,” he notes. “This aligns with more organizations moving towards microservices and smaller, more modular applications.”
Increased vulnerability scanning
ShiftLeft customers also saw a 97% drop in the number of OSS vulnerabilities they needed to patch in their applications, as adversaries were only able to exploit 3% of those vulnerabilities. When analyzing OSS vulnerabilities, Gupta notes, it’s not how many vulnerabilities an application has that count, but where are they exploitable by a bad guy.
ShiftLeft also reported that its customers improved the average time to mitigate vulnerabilities by 37%, from 19 days in 2021 to 12 days in 2022. It attributed the drop to developers and security teams performing more scans. earlier in the development process. “Some of our customers perform up to 30,000 scans per month,” says Gupta.
Is the vulnerability really exploitable?
The report raises the question: “Is the vulnerability really accessible to an attacker?” This is important for tackling zero-day flaws such as Log4J, which some organizations still face months after its discovery in December 2021. It says 96% of Log4J used in its customers’ applications was not at risk of be attacked.
Fixing vulnerabilities that are not exploitable will have no impact on risk. De-prioritize it and focus on others.
Copyright © 2022 IDG Communications, Inc.