We recently surveyed 308 security professionals in the US and UK tasked with application security to find out their top AppSec concerns, stumbling blocks and tactics. Their biggest AppSec concern? Overwhelmingly, it was reducing the risk of attacks while building, buying and integrating more software than ever. A majority (58 percent) of survey respondents cited this as a concern. Across regions and company size, those numbers remain relatively similar. A related concern that significant numbers of respondents cited was building and deploying applications faster while reducing business risk.
Trends behind the concern
An important factor influencing both these concerns is the change in development methods to accommodate this demand for vast amounts of software on very tight deadlines. Namely, DevOps and continuous deployment/release models becoming more common, and the frequent use of open source components.
Increasingly, developers are supplementing their own code with open-source code. These open source components speed development because they prevent developers from having to “reinvent the wheel”; it doesn’t make sense to create code from scratch when high-quality, functioning code that meets your needs already exists.
In the same way that you use pre-made “components” when cooking to save time (you probably don’t grow peanuts and make your own peanut butter), software components allow developers to move faster.
But both these time-savers come with risk. You most likely don’t know where each ingredient in your peanut butter comes from; you just have to assume the manufacturer uses quality ingredients and safe handling practices. But based on the frequent headlines about listeria outbreaks and food recalls, we know that isn’t always the case.
Using open source components in software development creates risk as well – but risk of vulnerable code leading to a data breach, not stomach distress. And the risk is substantial. Just as one bad peanut crop will affect a lot of jars of peanut butter, one vulnerability spreads to a lot of applications. In fact, a recent analysis of our platform data found that approximately 97 percent of Java applications contained at least one component with a known vulnerability. It would be almost impossible to keep track of the source, quality and safety of every ingredient in your recipes (although the “eat local” movement is in part a reflection of that concern). But tracking the components in your software is not impossible; emerging technologies make the task more manageable.
Overcoming the obstacle
Keep in mind that, despite the risk components introduce, they are still best practice for any company attempting to rapidly produce and deploy new applications or updates. Component use isn’t the problem; lack of visibility into component use is the problem. And it’s a big problem. Only 30 percent of respondents to our survey report that they inventory all open-source components used in development.
The solution? Implement technologies to keep track of which applications are using each component and what versions are being used. This gives your organization an easy way to update a component to the latest version if a vulnerability is discovered. And, ultimately, it keeps developers creating and innovating quickly, without introducing additional risk.
Find out what else your peers are thinking and doing about application security; check out the full survey results in our new report, Trends and Tactics: How IT Professionals Are Approaching AppSec Today.