Open source components have gone mainstream. With every company undoubtedly becoming a software company, open source and commercial components are a vital element in developing applications at the speed of DevOps. But while they’re a powerful tool for adding features and functionalities to applications in relatively short order, they also introduce remarkable security risks.
Wanting to better understand developers’ perspectives around open source and commercial components, we conducted research with Vanson Bourne to help us to understand how and why developers use them, who’s responsible for maintaining them and how they keep track of the components in their applications. What we learned is that organizations’ still lack security awareness: only 52 percent of developers using components in their apps update them when a new security vulnerability is announced.
This number is important, especially when you consider that a single open source vulnerability in an Equifax web server exposed the financial data of 143 million Americans, costing Equifax hundreds of millions of dollars and the trust of their customers. Even with this extreme example, there is still a gap in AppSec:
While we’re thrilled to see that there is increased clarity around who is responsible for maintaining components. That said, it’s hard to know what to patch – and when – without comprehensive visibility into all of the components in play.
Interested in learning more about developer views around open source components and risk? Click to download the full research report.
To learn more about CA Veracode’s Software Composition Analysis solution, and how it can help your teams mitigate third-party risk with a Modern Software Factory approach, click here.