All
All Customer News Intro to AppSec Managing AppSec Secure Development Research Security News
Software component security.
April 10, 2018

Survey: How Teams are Using Software Components in the Age of DevOps

Neil DuPaul By Neil DuPaul

Secure Development Managing AppSec

New research: Only 52% of developers using components in their apps update them when a new vulnerability is announced

Open source components have gone mainstream. With every company undoubtedly becoming a software company, open source and commercial components are a vital element in developing applications at the speed of DevOps. But while they’re a powerful tool for adding features and functionalities to applications in relatively short order, they also introduce remarkable security risks. 

Wanting to better understand developers’ perspectives around open source and commercial components, we conducted research with Vanson Bourne to help us to understand how and why developers use them, who’s responsible for maintaining them and how they keep track of the components in their applications. What we learned is that organizations’ still lack security awareness: only 52 percent of developers using components in their apps update them when a new security vulnerability is announced.

This number is important, especially when you consider that a single open source vulnerability in an Equifax web server exposed the financial data of 143 million Americans, costing Equifax hundreds of millions of dollars and the trust of their customers. Even with this extreme example, there is still a gap in AppSec:

  • More than 80 percent of respondents report using either or both commercial and open source components, with an average of 73 components being used per application.
  • The development (44 percent) or security (31 percent) teams are most likely to be responsible for the maintenance of third-party commercial and open source components, which suggests a move towards responsibility for the development team.
  • But only 71 percent of organizations report having a formal application security (AppSec) program in place.
  • Just over half (53 percent) of organizations keep an inventory of all components (top level and sub components) in their application.

While we’re thrilled to see that there is increased clarity around who is responsible for maintaining components. That said, it’s hard to know what to patch – and when – without comprehensive visibility into all of the components in play.

To learn more about Veracode’s Software Composition Analysis solution, and how it can help your teams mitigate third-party risk with a Modern Software Factory approach, click here.

 

Related Content

Veracode Makes DevSecOps a Seamless Experience With GitHub Code Scanning

Oct 05, 2020

16% of Orgs Require Developers to Self-Educate on Security

Sep 16, 2020

Write Code That Protects Sensitive User Data

Sep 15, 2020

43% of Orgs Think DevOps Integration Is Critical to AppSec Success

Sep 14, 2020

Spring View Manipulation Vulnerability

Sep 03, 2020

How 80% of Orgs Can Overcome a Lack of Training for Developers

Aug 18, 2020

Neil DuPaul
By Neil DuPaul

Neil is a Marketing Technologist working on the Content and Corporate teams at Veracode. He currently focuses on Developer Awareness through strategic content creation. In his spare time you'll find him doting over his lovely wife and daughter. He is a Co-Owner of CrossFit Amoskeag in Bedford NH, his favorite topic is artificial intelligence, and his favorite food is pepperoni pizza.

Stay up to date on Application Security

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

No thanks, back to the article please.