Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

4/16/2018
03:35 PM
Connect Directly
Twitter
RSS
E-Mail
100%
0%

DevOps May Be Cause of and Solution to Open Source Component Chaos

DevOps is accelerating the trend of componentized development approaches, but its automation can also help enforce better governance and security.

RSA CONFERENCE 2018 – San Francisco – Modern software development is trending more toward a componentized approach because developers would rather assemble something using a variety of well-built pieces of third-party code than reinvent the wheel every time they create something new. The approach has done wonders for speed and agility, but it's increasing a lot of enterprise attack surfaces because too few organizations are keeping up with the vulnerabilities these components pose.

new study outlined today at the DevOps Connect event at RSA Conference in San Francisco shows that the threat, or at least the awareness of the threat, is on the rise. A survey conducted by Sonatype among over 2,000 IT pros — with a heavy emphasis on developers — showed that 31% of participants suspect or have verified a breach related to open source components in the last 12 months. That's more than double the ratio of those answering similarly in 2014.

In some ways, it's inevitable that components are drawing more scrutiny than four years ago. High-profile open source vulnerabilities such as Heartbleed and Struts-Shock are forcing this issue into the security consciousness of more organizations. And big breaches caused by components, such as the one at Equifax, emphasize the consequences of ignoring these vulnerabilities.

Unfortunately, that scrutiny isn't necessarily translating into swift, meaningful action to address the problem. The Sonatype study showed that 62% of organizations today still do not have meaningful controls over what components are in their applications. This number may even be on the optimistic side. A different study out last week from Veracode showed that only 23% of organizations test for vulnerabilities in components at every release and just 52% update those components when a security vulnerability in one of them is announced.

That's startling considering that the Veracode study found that 93% of organizations today utilize open source or third-party components, with an average of 73 components used in these applications. It's clear that this is no niche in development processes — it's simply how applications are built today. And given trends in DevOps, the trend is expected to accelerate.

"DevOps, in a way, has many parallels to high-velocity manufacturing, and as a part of that we're using open source components to be more efficient in that manufacturing," explains Derek Weeks, vice president and DevOps advocate for Sonatype, who went over study findings today.

While that's going to increase the number of components dev teams will use to build their applications, it also introduces a more reliable avenue for imposing some semblance of governance and control over those components.

"What they're doing is introducing tools to manage this massive number of components and parts in the 'manufacturing' process, whether they're containers moving around, bits of source code moving around, bits of open source components moving around, and build artifacts moving around," Weeks says. "They want to be able to release fast and fail fast. If you don't track those parts, it's very hard to release fast and then pull it back if you can't trace it."

Security teams should be able to piggyback onto this level of automation that's mostly been imposed for quality reasons to also control security vulnerabilities within source code. At mature DevSecOps teams, that's already happening, according to the Sonatype study. 

The research showed that among traditional waterfall development shops that do not adhere to DevOps methodologies, just 58% report having open source governance policies in place. What's worse, 48% of those non-DevOps shops with a policy say they ignore those policies. So just a sliver of traditional organizations have rules around how components are used and stick to them. Meanwhile, among mature DevOps shops, 77% report having open source governance policies in place. And just 24% of those organizations ignore the policies.

"When you're embedding open source governance throughout the development life cycle, automation becomes very difficult to ignore," Weeks explains. "It's embedded into the design tools and build tools that you're using, and when it's hitting you in the face as a developer, it's hard to sidestep."

 

Interop ITX 2018

Join Dark Reading LIVE for two cybersecurity summits at Interop ITX. Learn from the industry's most knowledgeable IT security experts. Check out the Interop ITX 2018 agenda here.

Related Content:

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
BrianN060
50%
50%
BrianN060,
User Rank: Ninja
4/16/2018 | 4:42:49 PM
DevOps: cause and cure
Thanks Ericka.  The subject matter crosses most data/information security concern boundaries; and a true solution will require coordinated effort from each. 

I doubt if that can happen unless it's orchestrated, from the top, by each organization's Information System architects.  The raison d' etre for IS is informing knowledge workers.  That entails not only supplying information, but regulating it's dissemination.  It is only at the IS level (through the application of business rules, instantiated at the transactional data level), that policies can be enforced - otherwise, they are just suggestions. 
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Microsoft to Officially End Support for Windows 7, Server 2008
Kelly Sheridan, Staff Editor, Dark Reading,  1/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-7227
PUBLISHED: 2020-01-18
Westermo MRD-315 1.7.3 and 1.7.4 devices have an information disclosure vulnerability that allows an authenticated remote attacker to retrieve the source code of different functions of the web application via requests that lack certain mandatory parameters. This affects ifaces-diag.asp, system.asp, ...
CVE-2019-15625
PUBLISHED: 2020-01-18
A memory usage vulnerability exists in Trend Micro Password Manager 3.8 that could allow an attacker with access and permissions to the victim's memory processes to extract sensitive information.
CVE-2019-19696
PUBLISHED: 2020-01-18
A RootCA vulnerability found in Trend Micro Password Manager for Windows and macOS exists where the localhost.key of RootCA.crt might be improperly accessed by an unauthorized party and could be used to create malicious self-signed SSL certificates, allowing an attacker to misdirect a user to phishi...
CVE-2019-19697
PUBLISHED: 2020-01-18
An arbitrary code execution vulnerability exists in the Trend Micro Security 2019 (v15) consumer family of products which could allow an attacker to gain elevated privileges and tamper with protected services by disabling or otherwise preventing them to start. An attacker must already have administr...
CVE-2019-20357
PUBLISHED: 2020-01-18
A Persistent Arbitrary Code Execution vulnerability exists in the Trend Micro Security 2020 (v160 and 2019 (v15) consumer familiy of products which could potentially allow an attacker the ability to create a malicious program to escalate privileges and attain persistence on a vulnerable system.