Six Key Findings From The ‘DevSecOps Practices and Open Source Management in 2020’ Report

By : Fred Bals | Thursday, December 17 2020 - 15:05 IWST

Fred Bals - Senior technical expert at Synopsys Software Integrity Group (Photo by synopsys.com)
Fred Bals - Senior technical expert at Synopsys Software Integrity Group (Photo by synopsys.com)

INDUSTRY.co.id - Synopsys surveyed 1,500 IT professionals working in cyber security to analyse the DevSecOps practices used to address open source vulnerability management.

Synopsys recently released the “DevSecOps Practices and Open Source Management in 2020” report, findings from a survey of 1,500 IT professionals working in cyber security, software development, software engineering, and web development. The report explores the strategies that organisations around the world are using to address open source vulnerability management, as well as the problem of outdated or abandoned open source components in commercial code. Survey participants came from the United States, the United Kingdom, Finland, Germany, China, Singapore, and Japan, with at least 50 respondents from each country. Here are six key findings from the report.

1. DevSecOps is growing rapidly worldwide

DevSecOps is the practice of integrating security into every stage of the DevOps pipeline. The “DevSecOps Practices and Open Source Management in 2020” report indicates that the DevSecOps methodology is an important, rapidly growing trend worldwide. A combined 63% of survey respondents reported that they are incorporating some DevSecOps activities into their software development pipelines.

2. There is no one universally adopted application security tool

The responses to the survey indicate that there is no shortage of application security testing (AST) tools and techniques used among the respondents. But for many teams, each tool represents a pain point within their development workflow that can slow development efforts. To ease some of that pain, vendors have focused on integrating their tools within CI/CD pipelines. But while integration can help with tool deployment, it doesn’t necessarily address perception of development teams that too many AST tools slow down or generate additional work for them.

3. Unpatched open source vulnerabilities are a major source of developer pain

The “DevSecOps Practices and Open Source Management in 2020” report reflects that security and a component’s vulnerability to exploit were top-of-mind to respondents; that was cited as the number one selection criterion when vetting a new open source component. It’s also clear from the survey findings that unpatched vulnerabilities are a major source of developer pain. Over half — 51% — of respondents said it takes two to three weeks for them to apply an open source patch. And over 50% of U.S. respondents (40% worldwide) also reported that they had delivery schedules disrupted to address open source vulnerabilities.

As noted in those findings, many organisations — especially in the United States — should accelerate their time-to-patch schedules. A production-grade software composition analysis (SCA) solution is key to reducing patching timelines from weeks to days by providing continuous monitoring for new vulnerabilities and giving guidance on mitigation.

4. Organisations need to increase their investments in software composition analysis

Only 38% of respondents said their organisations are using an SCA tool to address open source security issues early in the software development life cycle. Automated SCA solutions allow development teams to identify and track open source in their code, mitigate security and license compliance risks, and automatically enforce open source policies using existing DevOps tools and processes. Organisations not using SCA tools are probably still employing manual processes to identify and manage open source — processes that can slow down developers and force them to play catch-up on security.

5. Media coverage plays a big role in how organisations respond to open source risk

The media comes under regular — sometimes deserved — criticism from the open source community for exaggerating security incidents and the risk of open source use. However, most responsible reporting notes that the risk comes from the unmanaged use of open source, with reported incidents usually involving unpatched or outdated components, or the lack of an up-to-date software inventory that includes all open source components as well as the versions used, the download locations for each project and all dependencies, the libraries the code calls to, and the libraries those dependencies link to.

The survey results also demonstrate that media coverage of open source issues definitely affects how organisations manage their open source use. Forty-six percent of respondents noted that a story in the media had prompted their organisation to apply more stringent controls on open source usage.

6. Many organisations are defining standards around the age of the open source components they use

A growing issue in the open source community is project sustainability. A 2020 Synopsys study showed that 91% of codebases audited in 2019 contained open source components that either were more than four years out of date or had no development activity in the past two years.

Security risks increase when obsolete code is deployed, including the threat of an open source component being hijacked. In 2018, an attacker took over a piece of open source code that was not being actively maintained and rewrote it to try to steal cryptocurrency. The malicious code was downloaded over 8.5 million times before being discovered.

News Comment

Today's Industry

Citibank

Minggu, 18 April 2021 - 22:10 WIB

Citi Indonesia Reiterates Commitment to Customers During Sale Process of The Consumer Bank Business

Citi today reaffirmed there would be no immediate change to how it serves its local consumer bank customers, as it commences the sale process of its Indonesian consumer business, following the…

Indonesia Port

Sabtu, 17 April 2021 - 06:05 WIB

Indonesia's Export Value in March 2021 is Higher than February

Statistics Indonesia (BPS) released value of Indonesia's exports in March 2021 which reached US$18.35 billion, an increase of 20.31% compared to exports in February 2021, as well as compared…

Minister of Manpower Ida Fauziyah

Sabtu, 17 April 2021 - 05:10 WIB

Manpower Minister Urges BPJS Kesehatan to Speed Up Integration of JKP Beneficiaries’ Data

Minister of Manpower Ida Fauziyah has urged the Health Care and Social Security Agency (BPJS Health) to accelerate the integration of membership data for the social security program of laid-off…

Satgas COVID-19

Sabtu, 17 April 2021 - 04:19 WIB

COVID-19 Task Force Asks Regional Governments to Firmly Enforce Regulations on Eid Homecoming

The COVID-19 Handling Task Force through its spokesperson Wiku Adisasmito reminded regional governments to enforce the rules set by the Government in the Circular of Head of the COVID-19 Handling…

Minister of Villages, Development of Disadvantaged Regions and Transmigration Abdul Halim Iskandar

Sabtu, 17 April 2021 - 03:12 WIB

Gov’t Has Disbursed Village Funds to 34,053 Villages: Minister

The Government has disbursed Rp 11.361 trillion of Village Fund as of 12 April 2021, according to Minister of Villages, Development of Disadvantaged Regions and Transmigration Abdul Halim Iskandar.