All
All Customer News Intro to AppSec Managing AppSec Secure Development Research Security News
Software component security.
April 10, 2018

Survey: How Teams are Using Software Components in the Age of DevOps

Neil DuPaul By Neil DuPaul

Secure Development Managing AppSec

New research: Only 52% of developers using components in their apps update them when a new vulnerability is announced

Open source components have gone mainstream. With every company undoubtedly becoming a software company, open source and commercial components are a vital element in developing applications at the speed of DevOps. But while they’re a powerful tool for adding features and functionalities to applications in relatively short order, they also introduce remarkable security risks. 

Wanting to better understand developers’ perspectives around open source and commercial components, we conducted research with Vanson Bourne to help us to understand how and why developers use them, who’s responsible for maintaining them and how they keep track of the components in their applications. What we learned is that organizations’ still lack security awareness: only 52 percent of developers using components in their apps update them when a new security vulnerability is announced.

This number is important, especially when you consider that a single open source vulnerability in an Equifax web server exposed the financial data of 143 million Americans, costing Equifax hundreds of millions of dollars and the trust of their customers. Even with this extreme example, there is still a gap in AppSec:

  • More than 80 percent of respondents report using either or both commercial and open source components, with an average of 73 components being used per application.
  • The development (44 percent) or security (31 percent) teams are most likely to be responsible for the maintenance of third-party commercial and open source components, which suggests a move towards responsibility for the development team.
  • But only 71 percent of organizations report having a formal application security (AppSec) program in place.
  • Just over half (53 percent) of organizations keep an inventory of all components (top level and sub components) in their application.

While we’re thrilled to see that there is increased clarity around who is responsible for maintaining components. That said, it’s hard to know what to patch – and when – without comprehensive visibility into all of the components in play.

Interested in learning more about developer views around open source components and risk? Click to download the full research report.

To learn more about Veracode’s Software Composition Analysis solution, and how it can help your teams mitigate third-party risk with a Modern Software Factory approach, click here.

 

Related Content

To Scan or Not to Scan? Why Frequency Matters for DevSecOps

Mar 19, 2020

AppSec Analytics and Reporting Tools Give You the Edge of Insight

Mar 12, 2020

Veracode Wins Three Awards for AppSec Excellence as a Leader in DevSecOps

Feb 24, 2020

Report: A Cyberattack Could Severely Disrupt the US Financial System

Jan 21, 2020

Live From Gartner Security & Risk Mgmt Summit: Pair Security Trainings With Technical Controls

Jun 18, 2019

Learn from Your Mistakes: How to Create Feedback Loops for Better Security

Aug 03, 2018

Neil DuPaul
By Neil DuPaul

Neil is a Marketing Technologist working on the Content and Corporate teams at Veracode. He currently focuses on Developer Awareness through strategic content creation. In his spare time you'll find him doting over his lovely wife and daughter. He is a Co-Owner of CrossFit Amoskeag in Bedford NH, his favorite topic is artificial intelligence, and his favorite food is pepperoni pizza.

Stay up to date on Application Security

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.

 

No thanks, back to the article please.