Save time and strengthen your open source application security

By | 3 minute read | April 1, 2021

Business disruption caused by IT security breaches is more prevalent and more insidious than ever. Before 2010 these events were considered isolated incidents, but in the last ten years, exploitations and vulnerability breaches are happening more frequently with much greater impact. Their disruption is measured in millions of data records lost, millions of ransom or legal dollars paid, and billions of corporate value evaporated.

Given the risks, costs, and impact, it should be no surprise to find IT security a top priority for most organizations. In fact, the 2021 Global Tech Outlook report by Red Hat found that not only was IT security a top funding priority for respondents, security was also a top barrier to digital transformation success. Mature enterprises are integrating security controls into automated pipelines, shifting security by design practices further left in the development lifecycle and automating with tooling. Unfortunately, few organizations actually consider themselves mature.

In addition, demands for continuous innovation from relentless competition put ever increasing constraints on precious resources. It has been well documented that experienced open source skills are in high demand, but developers are in short supply. In a recent O’Reilly Media survey commissioned by IBM, 93% of hiring managers reported difficulty finding sufficient talent with open source skills, making resource optimization another top priority for most technology leaders. Anything that can be done to free those precious resources returns dividends through reduced time to market.

Security by design is a multifaceted challenge and even developers in organizations with automated tooling and security by design development lifecycles can get bogged down addressing their security challenges. One of the most prevalent application security risks is the identification of common vulnerabilities and exploitations (CVE). Far too often, open source developers are expected to identify and measure the threat exploitability, prevalence, and impact of CVEs. Then, they need to investigate mitigation strategies for each threat across dozens and possibly hundreds of open source packages that make up their cloud application infrastructure.

Automation tools known as Software Composition Analysis (SCA) can be wired into the development pipeline to identify and measure CVE prevalence and exploitability. These tools aggregate data from resources such as the National Vulnerability Database (NVD) and MITRE’s CVE List then integrate into a development pipelines much like a spell checker or grammar checker in a word processor. The problem is that identification and measuring the risk is not the end of the job. Mitigating the risk involves digging further, investigating the right action and taking that action as quickly as possible. And remember, few organizations see themselves as mature and may not have SCA tools integrated into their development pipelines.

You might think that the developer simply needs to apply the security patch to their code. But it is not always that simple. Even if a security patch is available, additional investigation may be required. Developers must decide the steps that are required to apply the patch, keeping in mind complications that have been raised by others, vulnerability tests that must be run, and concerns that may have been raised by other developers. If the patch is not ready, developers must then consider how they can mitigate the issue with minimal impact to their environment.

Developers might spend hours searching across various internet community sources to uncover necessary facts before they can move forward. Incorporating smarter insights can help clients strengthen their security posture while improving developer productivity. With the addition of proactive features such as notifications, new vulnerabilities and new releases based on the users own unique software stack can be identified quicker. By tapping into an open source community with extensive experience, developers will have access to the best sources of information and aggregated security facts. This will save clients precious developer time, reduce risk, and focus their efforts on creating client value and other innovation.