In August 2022, the Enterprise Strategy Group (ESG) released "Walking the Line: GitOps and Shift Left Security," a multiclient developer security research report examining the current state of application security. The report's key finding is the prevalence of software supply chain risks in cloud-native applications. Jason Schmitt, general manager of the Synopsys Software Integrity Group, echoed this, stating, "As organizations are witnessing the level of potential impact that a software supply chain security vulnerability or breach can have on their business through high-profile headlines, the prioritization of a proactive security strategy is now a foundational business imperative."
The report shows that organizations are realizing the supply chain is more than just dependencies. It's development tools/pipelines, repos, APIs, infrastructure-as-code (IaC), containers, cloud configurations, and more.
Although open source software may be the original supply chain concern, the shift toward cloud-native application development has organizations concerned about the risks posed to additional nodes of their supply chain. In fact, 73% of organizations reported that they have "significantly increased" their software supply chain security efforts in response to recent supply chain attacks.
Respondents to the report's survey cited the adoption of some form of strong multifactor authentication technology (33%), investment in application security testing controls (32%), and improved asset discovery to update their organization's attack surface inventory (30%) as key security initiatives they are pursuing in response to supply chain attacks.
Forty-five percent of respondents cited APIs as the area most susceptible to attack in their organization today. Data storage repositories were considered most at risk by 42%, and application container images were identified as most susceptible by 34%.
The report shows that a lack of open source management is threatening SBOM compilation.
The survey found that 99% of organizations either use or plan to use open source software within the next 12 months. While respondents have many concerns regarding the maintenance, security, and trustworthiness of these open source projects, their most-cited concern relates to the scale at which open source is being leveraged within application development. Ninety-one percent of organizations using open source believe their organization's code is — or will be — composed of up to 75% open source. Fifty-four percent of respondents cited "having a high percentage of application code that is open source" as concern or challenge with open source software.
Synopsys studies have likewise found a correlation between the scale of open source software (OSS) usage and the presence of related risk. As the scale of OSS usage increases, its presence in applications will naturally increase as well. Pressure to improve software supply chain risk management has placed a spotlight on software bill of materials (SBOM) compilation. But with exploding OSS usage and lackluster OSS management, SBOM compilation becomes a complex task — and 39% of survey respondents in the ESG study marked as a challenge of using OSS.
OSS risk management is a priority, but organizations lack a clear delineation of responsibilities.
The survey points toward the reality that while the focus on open source patching following recent events (such as the Log4Shell and Spring4Shell vulnerabilities) has resulted in a significant increase in OSS risk mitigation activities (the 73% we mentioned above), the party responsible for these mitigation efforts remains unclear.
A clear majority of DevOps teams view OSS management as part of the developer role, whereas most IT teams view it as a security team responsibility. This may well explain why organizations have long struggled to properly patch OSS. The survey found that IT teams are more concerned than security teams (48% vs. 34%) about the source of OSS code, which is a reflection on the role IT has in properly maintaining OSS vulnerability patches. Muddying the waters even further, IT and DevOps respondents (at 49% and 40%) view the identification of vulnerabilities before deployment as the security team's responsibility.
Developer enablement is growing, but lack of security expertise is problematic.
"Shifting left" has been a key driver of pushing security responsibilities to the developer. This shift has not been without challenges; although 68% of respondents named developer enablement as a high priority in their organization, only 34% of security respondents actually felt confident with Development teams taking on responsibility for security testing.
Concerns like overburdening development teams with additional tooling and responsibilities, disrupting innovation and velocity, and obtaining oversight into security efforts seem to be the biggest obstacles to developer-led AppSec efforts. A majority of security and AppDev/DevOps respondents (at 65% and 60%) have policies in place allowing developers to test and fix their code without interaction with security teams, and 63% of IT respondents said their organization has policies requiring developers to involve security teams.
About the Author
Mike McGuire is a senior solutions manager at Synopsys where he is focused on open source and software supply chain risk management. After beginning his career as a software engineer, Mike transitioned into product and market strategy roles, as he enjoys interfacing with the buyers and users of the products he works on. Leveraging several years of experience in the software industry, Mike's main objective is connecting the market's complex AppSec problems with Synopsys' solutions for building secure software.