Using open source components is a common software development process; just how common, however, may come as a surprise — even a shock — to some. The average organization uses 229,000 open source components a year, found research by Sonatype, a provider of software development lifecycle solutions that manages a Central Repository of these components for the Java development community.
There were 31 billion requests for downloads from the repository in 2015, up from 17 billion in 2014, according to Sonatype.
The number “blows people’s minds,” said Derek Weeks, a VP and DevOps advocate at Sonatype. “The perspective of the application security professional or DevOps security professional or open source governance professional is, ‘This really changes the game. If it were 100, I could control that, but if it is 200,000 the world has changed.”
Application Security and Open Source Components
They are right to be concerned. Sonatype’s analysis of downloads found some significant application security issues related to the use of open source components. Notably, 6.1 percent of downloads (one in 16 components) include a known security defect.
“The application security professional’s usual response to that is ‘that doesn’t mean those vulnerabilities ended up in our applications.’ But when we looked across 25,000 applications we saw an average of 6.8 percent of components across those apps had at least one known vulnerability,” Weeks said. “That tells me that from the beginning of the software supply chain to the end products developed through these supply chains, there isn’t enough control.”
The research is contained in Sonatype’s “State of the Software Supply Chain” report, released today. The company produced a similar report last year. The aim, Weeks said, is to educate and increase awareness around the “massive consumption” of open source components and the fact that “not all parts are created equal.”
“By revealing this information, we think we can help change people’s behavior around how they think about and use open source components in wiser, more efficient and safer ways,” he said.
Using Supply Chain Best Practices to Improve Application Security
Software production has, in many ways, become like the production of consumer goods such as electronics and automobiles — and it needs to adopt some of manufacturing’s supply chain best practices such as building in quality as early as possible by sourcing fewer and better components, Weeks said.
According to the research, of the 229,000-plus open source components downloaded annually by an average organization, only some 5,200 downloads are unique. This obviously inefficient practice makes it tougher to vet the components, Weeks said.
“From an application security perspective if you are a CISO that has 2,000 developers individually sourcing components, it is very difficult to audit, protect and maintain your organization. If you limit the number of places where components can come in, you can ensure you know what is coming in and can use the opportunity to vet it,” he said. “This is a fundamental supply chain best practice. Toyota has hundreds of thousands of employees but not hundreds of thousands of employees in procurement; the number of employees that is vetting the components in their products is fairly small.”
Managing and vetting open source components is further complicated by the fact there are repositories for different development languages, including PHP, Python and Ruby, Weeks said, adding, “The only way to manage all of that is to automate how you identify and track these components. If you do not do it in an automated way, you will never be able to keep up with the consumption.”
Application security professionals can create rules around acceptable levels of risk that can then be enforced by automation tools, Weeks explained. “You might say, ‘You can’t use any component with a CVSS Level 10 vulnerability anywhere in our organization.’ Your solution can automatically check for that and notify the developer. It’s like a food label on a product on the grocery shelf; it can help make a decision as to whether a component complies with the organization’s standards.”
More Application Security Best Practices
The report details other application security best practices related to the use of open source components, including:
- Using newer open source components, which have fewer known defects. According to the report, components greater than two years old represent 62 percent of all components scanned and account for 77 percent of security risk.
- Creating a software bill of goods, a practice used by companies like Exxon and the Mayo Clinic, that requires their vendors to provide a list of components used to create apps. “A bill of materials shows you what components are used in what application; if anything goes bad in the future, you will know where you used it,” Weeks said.
- Storing components in a local repository behind a corporate firewall. Such warehouses make it easier to track usage and also speed the development process. In addition, they allow for storage of proprietary components companies do not want to share and help prevent the loss of components that may occur if developers decide to remove their components from central repositories.
Ann All is the editor of Enterprise Apps Today and eSecurity Planet. She has covered business and technology for more than a decade, writing about everything from business intelligence to virtualization.