|Beating Vulnerabilities in Open Source Code|
|Written by Sue Gee|
|Monday, 31 August 2020|
Open source downloads are on course to reach 1.5 trillion in 2020, an all-time high. At the same time the incidence of cyber attacks actively targeting open source software projects has increased by 430%. How do enterprise respond to the deluge of vulnerabilities and what influences their success?
For the answers we turned to Sonatype’s sixth annual State of the Software Supply Chain Report, which pulls from public and private databases as well as survey data, offers unique insights on the state of open source security and how the proliferation of open source code has left the global supply chain at risk.
Key findings from the report are:
The proliferation of open source code has left the global supply chain at risk. The task of dealing with OSS vulnerabilities falls to software engineers who now face a much heavier burden.
To shed light on way enterprise software development teams utilize open source components and the performance and risk management outcomes they achieve, Sonatype’s open source and security research team collaborated with Dr. Stephen Magill and Gene Kim to examine how high performing teams successfully demonstrate superior risk management outcomes while maintaining high levels of productivity.
Their findings are summed up as:
[while] adversaries are accelerating, faster is better for open source projects, and productivity does not have to come at the cost of reduced security in the enterprise.
The responses of 679 individuals across a wide variety of industry verticals, including Banking, Retail, Healthcare, and Government to a survey with 41 questions were analyzed using cluster analysis.
This revealed four distinct groups:
⊲ High Performers: high productivity, great risk management outcomes (N=151)
⊲ Low Performers: low productivity, poor risk management outcomes (N=107)
⊲ Security First: low productivity, great risk management outcomes (N=167)
⊲ Productivity First: high productivity, poor risk management outcomes (N=103)
The report presents results that indicate that High Performers significantly outperform the low performers in software delivery and security — they deploy more frequently, they detect and remediate vulnerable OSS components more quickly, onboard developers onto new teams more quickly, and approve new OSS components for use more quickly. As a final bonus developers in High Performance teams demonstrate higher levels of job satisfaction.
or email your comment to: firstname.lastname@example.org
|Last Updated ( Monday, 31 August 2020 )|