Veracode has been beating the drum about the inherent danger of “third party” code in application development. Whether that code is “shrink wrapped” and supplied by a third party firm or open source, our research has shown that it often comes chock full of security holes – some of them exploitable.
Now a report by the firm Sonatype reinforces that message. Sonatype’s survey of 3,500 developers (PDF format report here) found that use of open source software is exploding in the application development community. Alas, much of it is unchecked, with few if any controls over what- or how components are being used.
The Sonatype Open Source Software Development Survey, released Tuesday, studied the way that organizations adopt, use and support open source software. The survey found that open source use is skyrocketing, with applications now more than 80% “component-based.” But 76% of organizations surveyed admitted they have no formal policy in place to manage or track the use of those components.
“The lack of internal controls and a failure to address security vulnerabilities throughout the software development lifecycle threatens the integrity of the software supply chain and exposes organizations to massive, unmanaged risk,” Sonatype warned.
According to Sonatype, which operates a Central Repository from which open-source components can be downloaded, use of those components exploded in 2012. Sonatype’s Central Repository registered eight billion component downloads, an 800 percent increase in activity since its inception.
Furthermore, nearly 80 percent of the organizations surveyed by Sonatype reported components found in Sonatype’s Central Repository were “important or critical to their development efforts,” with 86 percent claiming that their applications were “80 percent open source with the remaining 20 percent custom components and code.”
But much of that adoption is willy-nilly. Of the large organizations surveyed by Sonatype (defined as companies with more than 500 developers), 76 percent said they have “no control over what components are being used in software development projects.” Fully 65 percent of those companies said they don’t maintain an inventory of components used in production applications. Sonatype said 57 percent of those surveyed “lack any policy governing component usage,” while those that do have policies in place admitted, “enforcement is a challenge and not a top priority.”
Why? Big surprise: developers cited the tendency of such checks to slow development as the major reason they were not adopted, as well as unclear or inconsistent enforcement of policies around component use.
Sonatype found that more than half of survey respondents from large enterprises reported that developers “don’t focus on security at all,” with one in five of those saying they “don’t have the time to spend on it.” Just one in four of the survey respondents said they work at an organization that requires them to prove the components they use do not have known vulnerabilities.
To be sure, Sonatype has a dog in this fight. At the same time they announced the findings of their survey, the company announced “Sonatype CLM” – a Component Lifecycle Management solution that can “secure the entire component lifecycle.” Coincidence? I think not.
That doesn’t mean, however, that we should ignore the findings of the company’s survey. In fact, the results jive with what Veracode has reported in its own State of Software Security Report in recent years.
In the most recent edition of that report, Veracode disclosed that the average enterprise has 600 mission-critical applications. Around 65% of those are developed externally, leaving companies increasingly vulnerable to the security risks found in these apps. In fact, Veracode found that between 30 and 70% of applications that are thought of as internally developed by organizations are actually comprised mostly of third-party libraries and components.
“The widespread adoption of third-party apps and use of external developers in enterprises brings increased risk,” Veracode’s Vice President of Research, Chris Eng, said at the time.
It’s long been recognized that organizations take on substantial, but hard-to-quantify risk by trusting their third-party software suppliers to develop applications that meet industry and organizational standards. Organizations embracing agile development methodologies by leaning heavily on open source components are similarly exposing themselves and their customers in ways that they may well not comprehend.
But the attention paid to the security of third party components may start to get a lot more attention. In the recently released Top 10 Application Security Vulnerabilities from OWASP specifically calls out vulnerable third party components as one of the top 10 issues (A9). Specifically calling out vulnerable, packaged components may get organizations to actually recognize a risk they’ve been happy to ignore. However, its likely that larger changes – cultural changes – will be needed to bend the priorities of software publishers from speed and time to market towards security and the quality of finished goods.