Open source breaches up by 71 percent
Open source breaches have increased by 71 percent over the last five years, while 26 percent of companies have reported a confirmed or suspected web application breach in the past year alone according to a new report.
The study from open source governance specialist Sonatype also shows 41 percent of executives admit their company doesn’t follow an open source governance programme.
"Underpinning 80 to 90 percent of an enterprise application, open source components have played an instrumental role in driving innovation and accelerating time to market," says Derek Weeks, vice president and DevOps advocate at Sonatype. "But with as many as 50 percent of downloaded components containing a known vulnerability, it is critical that organisations implement proper software governance to ensure they're building quality -- and security -- into their applications from the beginning."
DevSecOps practices are helping companies to bolster their cyber security capabilities, however. Of the organisations surveyed, 81 percent of those with elite DevSecOps programmes had a cyber security response plan in place, versus 62 percent of those without. Elite DevSecOps companies are also three times more likely to provide application security training. Other key results show that 62 percent of respondents with elite programmes have an open source governance programme in place, compared to just 25 percent of those without DevOps practices.
Other findings highlight the resourcing challenges facing businesses, and showed that little progress has been made. For the third year in a row, almost half (48 percent) of developers stated they believe security is a priority, but don’t have enough time to spend. In parallel, 50 percent of respondents using cloud infrastructure rely on the cloud provider to deliver security instead of managing themselves,
"At a time when developers are under pressure and unable to find sufficient time to spend on security, the need for automated application security testing becomes even more apparent," concludes Weeks. "The DevSecOps community has shown us that elite organizations are performing significantly less manual work, boosting efficiencies, simultaneously helping them to improve their cyber security capabilities, and better prepare for security incidents as they arise."
The full survey results are available from the Sonatype website.