Sonatypes annual research “2020 State of the software supply chain” uncovers lots of great insights into the open-source world. Open source is such a huge part of modern development that the headline stat of 430% increase year on year of attacks targeting open-source projects should be a wake-up call for all developers.
The study reports that 90% of components in an application are open source. Developers are under constant pressure to build and deploy faster, which means the dependency on open source libraries and components is here to stay. In fact, the open-source components are so deeply hooked into most products that it is hard to imagine large scale development without some form of open-source dependency.
The dependency on open source extends to firms of all sizes. The study looked at 15,000 enterprise development organisations, of which they had an average of 373,000 open source component downloads annually. Further analysis showed that 8.3% of the open-source downloads contained at least one known security vulnerability. The numbers are big, and the takeaway is obvious. We rely on open-source, but it carries significant risk.
How do you best protect yourself against open source vulnerabilities? Cataloguing the open-source code you use and looking out for vulnerabilities is a timely task. Unlike commercial software with prompts and auto-updates, manually patching for vulnerabilities can be very time-consuming. Sites like the National Vulnerability Database are good to bookmark for staying up to date with the latest vulnerabilities and notifications. Be aware, though, that disclosure can take time and likely too late to make effective remediation. Software composition analysis (SCA) tools exist for looking at open source databases and potential vulnerabilities. A quick search will show you lots of great options out there.
The open-source security foundation (OSSF) has been recently founded to reduce the time between vulnerability findings and remediation to minutes, not months. Industry leaders like Google & Microsoft are key members, and initiatives are already in the works for providing security tooling, training, best practice, and more. You can see the latest from the OSSF on GitHub.
The OpenSSL aims to increase the overall security of open-source software.
Where does dynamic application security testing (DAST) and, more specifically, Crashtest Security fit in? Naturally, we feel regular vulnerability scanning is key to securing your web application. Using a black-box approach, we scan your application, in the same manner, an attacker would. That means we will detect vulnerabilities regardless of the origin of the code, open-source or otherwise. Your DevOps team will regularly utilise a DAST and an SCA tool for a holistic security strategy in an ideal world.
If you are interested in seeing what Crashtest Security can find within your web applications, then good news, we have a free 14-day trial! Register here and get scanning within minutes.