Sonatypes annual research “2020 State of the software supply chain” uncovers lots of great insights into the open-source world. Open source is such a huge part of modern development that the headline stat of 430% increase year on year of attacks targeting open-source projects should be a wake-up call for all developers.
The study reports that 90% of components in an application are open source. Developers are under constant pressure to build and deploy faster and this means the dependency on open source libraries and components is here to stay. In fact, the open-source components are so deeply hooked into most products that it is hard to imagine large scale development without some form of open-source dependency.
The dependency on open source extends to firms of all sizes and the study looked at 15,000 enterprise development organisations of which they had an average of 373,000 open source component downloads annually. Further analysis showed that 8.3% of the open-source downloads contained at least one known security vulnerability. The numbers are big and the takeaway is really clear, we rely on open source but it carries significant risk.
How do you best protect yourself against open source vulnerabilities? Cataloging the open-source code you use and looking out of for vulnerabilities is a timely task. Unlike commercial software with prompts and auto-updates, manually patching for vulnerabilities can be very time-consuming. Sites like the National Vulnerability Database are good to bookmark for staying up to date with the latest vulnerabilities and notifications. Be aware though that disclosure can take time and likely too late to make effective remediation. Software composition analysis (SCA) tools exist for the specific job of looking at open source databases and potential vulnerabilities, a quick search will show you lots of great options out there.
The open source security foundation (OSSF) has been recently founded with a view to reducing the time between vulnerability findings and remediation to minutes, not months. Industry leaders like Google & Microsoft are key members and initiatives are already in the works for proving security tooling, training, best practice, and more. You can see the latest from the OSSF on GitHub.
The OpenSSF aims to increase overall security of open source software
Where does dynamic application security testing (DAST) and more specifically, Crashtest Security fit in? Naturally, we feel regular vulnerability scanning is key to securing your web application. Using a black box approach, we scan your application in the same manner an attacker would. That means we will detect vulnerabilities regardless of the codes origin, open source or otherwise. In an ideal world, your DevOps team will be regularly utilising a DAST and a SCA tool for a holistic security strategy.
If your interested in seeing what Crashtest Security can find within your web applications then good news, we have a free 14-day trial! Simply register here and get scanning within minutes.