Open source breaches up by over 70 percent

News by Rene Millman

A quarter of firms confirmed or suspected a web application breach in the past 12 months.

Open source breaches have increased by 71 percent over the last five years, while 26 percent of companies reported a confirmed or suspected web application breach in the past year alone, according to a new survey.

According to a study, carried out by Sonatype, found that despite being proven to improve cyber-security capabilities, 41 percent of executives admitted their company doesn’t follow an open source governance programme. In an earlier research study carried out by the firm, showed that over 10,000 organisations - including 65 percent of the Global Fortune 100 – downloaded the flawed component that led to the Equifax breach in the last six months of 2018.  Further external research revealed that in October 2018, 51 percent of JavaScript downloads in October contained a known vulnerability, further demonstrating the scale of the challenge.

However, the findings also demonstrate that progress is being made, and DevSecOps practices are helping companies to bolster their cyber security capabilities. Of the organisations surveyed, 81 percent of those with elite DevSecOps programmes had a cyber-security response plan in place, versus 62 percent of those without; elite DevSecOps companies are also three times more likely to provide application security training. Other key results show that 62 percent of respondents with elite programmes have an open source governance programme in place, versus just 25 percent of those without DevOps practices. 

"Key DevOps principles including: continuous learning via collaboration, automation (CI/CD), infrastructure as code, and monitoring, help ensure effective and timely responses to any breach", said Hasan Yasar, technical manager and adjunct faculty member for Carnegie Mellon’s Software Engineering Institute.

"We must all recognise security is a living thing and organisations should be prepared to prevent and respond to breaches at any moment within their application lifecycle. It is difficult to imagine proper cyber-security hygiene and sufficient preparations for a breach without DevSecOps in place."
Other results highlighted the resourcing challenges facing businesses, and showed that little progress has been made. For the third year in a row, almost half (48 percent) of developers stated they believe security is a priority, but don’t have enough time to spend. In parallel, 50 percent of respondents using cloud infrastructure rely on the cloud provider to deliver security instead of managing themselves.

Evan Dandrea, engineering manager at Canonical, told SC Media UK that as the industry continues to create more components to plug together and layer solutions onto. "In this race to realise market potential, many companies have deprioritised security for profits; all the while the number of access points for breaches is multiplying."

"Today’s developers, therefore, need to build for failure. Assuming that something cannot go wrong will cost the most when it does because businesses will not have a plan," he said.

Vincent Delaroche, Founder and CEO at Cast, told SC Media UK that most organisations are unaware, or aren't interested, in finding out what really lies in the open course components they cut and paste into its IT systems.

"However, many open source components can be poor quality with multiple holes for hackers to exploits. In addition, once a hacker has found a way to hack a part of open source code, they're then able to hack every IT systems who uses that component. Therefore, this leave themselves open to devastating hacks, cowboy-quality code and lawsuits," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews