Open-source software (OSS) has become the core of most applications, but it has also created security challenges for developers and security teams, according to two studies published this week, that can overcome the challenges through the growing “left shift” movement.
More than four out of five companies (41%) do not have high confidence in their open-source security, according to researchers at Snyk, a developing security firm, and the Linux Foundation State of Open Source Security Report.
It also noted that vulnerabilities in open-source projects have steadily increased over the past three years, with more than doubling from 49 days in 2018 to 110 days in 2021.
Open Source Debate: Productivity vs. Security
The report, based on a survey of more than 550 respondents, further noted that the average application development project has 49 vulnerabilities and 80 direct dependencies where a project calls open-source code. What’s more, the report found that less than half of companies (49%) have a protection policy for developing or using OSS. This number is even worse for medium to large sized companies: 27%.
“Software developers today have their own supply chain,” Matt Jarvis, Snyk’s director of developer relations, explained in a statement. “Instead of assembling car parts, they are integrating code with existing open-source components with their unique code. Although this leads to productivity and innovation, it has also created significant security concerns.”
Transferring security left reveals rapid vulnerabilities
Another survey – The Move AppSec progress report leftভাল Better OSS protection can be achieved by moving security “to the left” or closer to the beginning of the software development lifecycle. Based on the experience of users of Shiftleft’s core product, the report found that 76% of new vulnerabilities were corrected between the two sprints.
One of the reasons vulnerabilities are fixed so quickly is that they are found quickly. Manish Gupta, CEO and co-founder of Shiftleft, said, “Every change in code that a developer makes is scanned in between 90 seconds.” “Since the code is still fresh in a developer’s mind, it becomes easier for them to fix vulnerabilities.”
The report acknowledges that improvements to its software are not the only reason for improved scan time. “We’ve seen the average size of applications go down in terms of lines of code,” it notes. “It aligns with more companies moving into microservices and smaller, more modular applications.”
Extended scanning for vulnerabilities
ShiftLeft customers also have a 97% reduction in OSS vulnerabilities that need to be addressed in their applications because competitors can only exploit 3% of that vulnerability. When analyzing OSS vulnerabilities, Gupta notes, it is not how many vulnerabilities an application has, but where they can be exploited by bad guys.
ShiftLeft also reported that its customers improved the average time required to alleviate vulnerabilities by 37%, down from 19 days in 2021 to 12 days in 2022. This has led developers and security teams to do more scans before the development process “Some of our customers are doing 30,000 scans a month,” Gupta said
Is weakness actually exploitable?
The report raises the question, “Can the vulnerability really be reached by the attacker?” This is important when dealing with zero-day errors like Log4J, which some companies are still dealing with, even months after its discovery in December 2021. It states that 96% of Log4J’s clients used in the applications were not at risk of attack.
Remedying vulnerabilities that are not absorbable will have zero effect on the risk. Prioritize it and focus on others.
Copyright © 2022 IDG Communications, Inc.