DevOps the solution to open source vulnerabilities?
As the speed at which a business can develop and deploy game-changing applications can spell the difference between survival and success, the DevOps movement has been transformed from the software development periphery to centre stage.
The good news is that this is having an unexpected impact on the ongoing battle to secure open source software.
This is one of the conclusions reached independently by the compilers of two unrelated surveys: "The State of Software Security Today Volume 9", released last week by software security company Veracode; and WhiteSource's "Open Source Security Management in the Age of DevOps", published in January 2018.
In arriving at its conclusions, Veracode analysed 700 000 scans of more than two trillion lines of code in real-world applications on Veracode's applications security platform over a 12-month period between 1 April 2017 and 31 March 2018.
The WhiteSource report was based on a survey of over 400 organisations in 2018 as the company sought to understand the policies, processes and tools used to manage the risk associated with the use of open source components in applications.
According to Rami Elron, senior director of product management at WhiteSource, the findings of its survey "clearly show DevOps- and DevSecOps-empowered organisations generally are much more proactive in managing their open source component vulnerabilities.
"As we have seen in other surveys... the gap continues to widen between high-performing IT organisations that have adopted DevOps/DevSecOps and those that haven't, creating a clear delineation of companies that are managing their open source components for risk and vulnerability and those that are not. And those that are not [managing their open source component risk], unfortunately, are destined to become tomorrow's victims," Elron added.
Chris Eng, vice-president of research at Veracode, reached a similar conclusion. He pointed out that vulnerable open source software components continue to "run rampant" within most applications.
However, Eng stated the latest data presented "hopeful glimpses" that potential prioritisations and software development methods could help organisations to reduce risk more quickly than they have been doing to date. In particular, the DevSecOps "mentality" was encouraging organisations to incorporate more frequent security scans, incremental fixes and faster rates of flaw closure into the software development lifecycle.
But there is still a long way to go. Veracode found that most development organisations had made little headway in creating awareness about serious vulnerabilities like cryptographic flaws, SQL injection and cross-site scripting. The analysis attributed this to organisations struggling to embed security best practices into their software development lifecycles.
Nevertheless, Veracode also found DevSecOps adoptees greatly outperformed their peers in their time to fix flaws, with the most active DevSecOps programs fixing flaws more than 11.5 times faster than the typical non-DevOps/DevSecOps organisation.
"As the DevOps movement has unfolded, security-minded organisations have recognised that embedding security design and testing directly into the continuous software delivery cycle of DevOps is a must...
"This is the genesis of DevSecOps principles, which offer a balance of speed, flexibility and risk management for organisations that adopt them. The difficulty is that, until now, it has been tough to find concrete evidence of DevSecOps' security benefits.
"This year's analysis shows a very strong correlation between high rates of security scanning and lower long-term application risks, which we believe presents a significant piece of evidence for the efficacy of DevSecOps," Eng concluded.