Apr 11, 2018
New research: Only 52% of developers using components in their apps update them when a new vulnerability is announced
Open source components have gone mainstream. With every company undoubtedly becoming a software company, open source and commercial components are a vital element in developing applications at the speed of DevOps. But while they’re a powerful tool for adding features and functionalities to applications in relatively short order, they also introduce remarkable security risks.
Wanting to better understand developers’ perspectives around open source and commercial components, we conducted research with Vanson Bourne to help us to understand how and why developers use them, who’s responsible for maintaining them and how they keep track of the components in their applications. What we learned is that organizations’ still lack security awareness: only 52 percent of developers using components in their apps update them when a new security vulnerability is announced.
This number is important, especially when you consider that a single open source vulnerability in an Equifax web server exposed the financial data of 143 million Americans, costing Equifax hundreds of millions of dollars and the trust of their customers. Even with this extreme example, there is still a gap in AppSec:
- More than 80 percent of respondents report using either or both commercial and open source components, with an average of 73 components being used per application.
- The development (44 percent) or security (31 percent) teams are most likely to be responsible for the maintenance of third-party commercial and open source components, which suggests a move towards responsibility for the development team.
- But only 71 percent of organizations report having a formal application security (AppSec) program in place.
- Just over half (53 percent) of organizations keep an inventory of all components (top level and sub components) in their application.
While we’re thrilled to see that there is increased clarity around who is responsible for maintaining components. That said, it’s hard to know what to patch – and when – without comprehensive visibility into all of the components in play.
Interested in learning more about developer views around open source components and risk? Click to download the full research report.
To learn more about CA Veracode’s Software Composition Analysis solution, and how it can help your teams mitigate third-party risk with a Modern Software Factory approach, click here.