April 1, 2021 By Rob Coventry 3 min read

Business disruption caused by IT security breaches is more prevalent and more insidious than ever. Before 2010 these events were considered isolated incidents, but in the last ten years, exploitations and vulnerability breaches are happening more frequently with much greater impact. Their disruption is measured in millions of data records lost, millions of ransom or legal dollars paid, and billions of corporate value evaporated.

Given the risks, costs, and impact, it should be no surprise to find IT security a top priority for most organizations. In fact, the 2021 Global Tech Outlook report by Red Hat found that not only was IT security a top funding priority for respondents, security was also a top barrier to digital transformation success. Mature enterprises are integrating security controls into automated pipelines, shifting security by design practices further left in the development lifecycle and automating with tooling. Unfortunately, few organizations actually consider themselves mature.

In addition, demands for continuous innovation from relentless competition put ever increasing constraints on precious resources. It has been well documented that experienced open source skills are in high demand, but developers are in short supply. In a recent O’Reilly Media survey commissioned by IBM, 93% of hiring managers reported difficulty finding sufficient talent with open source skills, making resource optimization another top priority for most technology leaders. Anything that can be done to free those precious resources returns dividends through reduced time to market.

Security by design is a multifaceted challenge and even developers in organizations with automated tooling and security by design development lifecycles can get bogged down addressing their security challenges. One of the most prevalent application security risks is the identification of common vulnerabilities and exploitations (CVE). Far too often, open source developers are expected to identify and measure the threat exploitability, prevalence, and impact of CVEs. Then, they need to investigate mitigation strategies for each threat across dozens and possibly hundreds of open source packages that make up their cloud application infrastructure.

Automation tools known as Software Composition Analysis (SCA) can be wired into the development pipeline to identify and measure CVE prevalence and exploitability. These tools aggregate data from resources such as the National Vulnerability Database (NVD) and MITRE’s CVE List then integrate into a development pipelines much like a spell checker or grammar checker in a word processor. The problem is that identification and measuring the risk is not the end of the job. Mitigating the risk involves digging further, investigating the right action and taking that action as quickly as possible. And remember, few organizations see themselves as mature and may not have SCA tools integrated into their development pipelines.

You might think that the developer simply needs to apply the security patch to their code. But it is not always that simple. Even if a security patch is available, additional investigation may be required. Developers must decide the steps that are required to apply the patch, keeping in mind complications that have been raised by others, vulnerability tests that must be run, and concerns that may have been raised by other developers. If the patch is not ready, developers must then consider how they can mitigate the issue with minimal impact to their environment.

Developers might spend hours searching across various internet community sources to uncover necessary facts before they can move forward. Incorporating smarter insights can help clients strengthen their security posture while improving developer productivity. With the addition of proactive features such as notifications, new vulnerabilities and new releases based on the users own unique software stack can be identified quicker. By tapping into an open source community with extensive experience, developers will have access to the best sources of information and aggregated security facts. This will save clients precious developer time, reduce risk, and focus their efforts on creating client value and other innovation.

Speed innovation with IBM Open Source Support

Was this article helpful?
YesNo

More from Cloud

5G advantages and disadvantages: What business leaders need to know

7 min read - If you’re in the technology sector (or really, if you’re involved in any business that relies on digital technology at all), you’ve likely heard the buzz around 5G. The latest high-speed cellular network standard is poised to transform wireless connectivity as we know it and usher in a new age of digital transformation. Like any new technology, however, it’s wise to take a step back and consider the pros and cons before diving in. In this article, we’re going to…

Think inside the box: Container use cases, examples and applications

5 min read - Container management has come a long way. For decades, managing containerized environments was a relatively simple affair. The modern idea of a computer container originally appeared back in the 1970s, with the concept first being used to help define application code on Unix systems. Modern containerization technology has moved on steadily from those early beginnings, and when companies run containers now, they’re getting a lot more utility for their investment. From small startups to large, established businesses, container frameworks have…

IBM Tech Now: February 26, 2024

< 1 min read - ​Welcome IBM Tech Now, our video web series featuring the latest and greatest news and announcements in the world of technology. Make sure you subscribe to our YouTube channel to be notified every time a new IBM Tech Now video is published. IBM Tech Now: Episode 92 On this episode, we're covering the following topics: IBM watsonx Orders EDGE3 + watsonx G2 Best of Software Awards Stay plugged in You can check out the IBM Blog Announcements for a full…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters