Earlier today, the Wall Street Journal’s Adam Janofsky wrote an article entitled, How Companies Can Manage Risks Tied to Open-Source Software*. Coverage of this topic is significant for a number of reasons. First and foremost, it sheds light on a topic for the executive readership of the WSJ, that has seen growing interest over the years across developer and security communities.
Following high-profile breaches that resulted from use of vulnerable open source components, like the incident at Equifax, this is a topic deserved of more attention at the executive and board level. As John Willis, co-author of the DevOps Handbook and VP at SJ Technologies, often remarks, “no executive wants to be Equifaxed”.
To educate his readers on the subject, Janofsky:
While Sonatype has long preached that software is no longer coded from scratch, but assembled from open source components, this knowledge is not wide spread across CIO, CSO, and CEO communities. Their organizations have now long-benefited from the productivity that use of open source components affords, but highlighting vulnerabilities associated with some of those components reminds us that there are “no free puppies”.
Janofsky also interviewed a couple of IT managers within universities who revealed how open source components are managed and assessed within their development practices. He points to the adoption of open source governance boards, manual reviews, and tracking vulnerability disclosures in public forums. If no vigilance were in place, these would all be valiant actions to begin addressing the problem.
On Monday, Sonatype will reveal findings from its 2018 DevSecOps Community Survey. Of the 2,076 development and DevOps professionals participated this year, 37% stated that they had no open source governance policies in place. For those organizations, the baby steps recommended by Janofsky would be a good start.
Good starts won’t guarantee sufficient protections though. The reality of development practices reveals that organizations are consuming massive quantities of open source components to accelerate development. According to Sonatype’s State of the Software Supply Chain Report last year, the average company consumed over 125,000 open source components, of which 1 in 18 had known security vulnerabilities. In environments operating at this scale, manual component reviews and occasional reviews of vulnerability databases can’t keep pace. Automation of these practices becomes paramount at scale.
I’m thrilled that Janofsky brought executive attention to this topic and I hope it is the first of many steps we can all take to building better software faster.
*Janofsky’s article appeared in the Pro edition of the WSJ and requires a subscription to access.