Open source plays a critical role in today’s software ecosystem. The overwhelming majority of modern codebases contain open source components, with open source often comprising 70% or more of the overall code. Yet paralleling the growth of open source use is the mounting security risk posed by unmanaged open source.
Synopsys has released the report, DevSecOps Practices and Open Source Management in 2020 which highlights how organizations are struggling to effectively track and manage their open source risk.
“Over half—51%—say it takes two to three weeks for them to apply an open source patch,” said Tim Mackey, principal security strategist of the Synopsys Cybersecurity Research Center.
“This is likely tied to the fact that only 38% are using an automated software composition analysis (SCA) tool to identify which open source components are in use and when updates are released. The remaining organizations are probably employing manual processes to manage open source—processes that can slow down development and operations teams, forcing them to play catch-up on security in a climate where, on average, dozens of new security disclosures are published daily,” Mackey added.
DevSecOps is rapidly growing worldwide. A combined 63% of respondents reported that they are incorporating some measure of DevSecOps activities into their software development pipelines.
There is no universally adopted application security testing (AST) tool. As the responses to the survey questions indicate, there is no shortage of application security testing tools and techniques. However, even the AST tool with the highest adoption rate is still only utilized by less than half of respondents.
The media plays an important role in open source risk management. Forty-six percent of respondents noted that media coverage had prompted their organization to apply more stringent controls on open source usage.
Forty-seven percent of respondents are defining standards around the age of open source components they use. A growing issue in the open source community is project sustainability.