WhiteSource Report Exposes Open-Source Vulnerabilities
Enterprises are no stranger to open-source technology; in fact, Forrester reports that the adoption of open source is attractive to businesses because of rapidly evolving systems, credibility for digital startups through strong communities, and disposability — thanks to low costs and, easier customization.
What open source also brings to enterprise customers are security and vulnerability concerns. And businesses should be concerned because these types of vulnerabilities are on the rise.
That’s just one finding from “The State of Open Source Vulnerabilities Management,” a report released Thursday by WhiteSource, an open-source security and license management company.
The report includes a survey taken from more than 650 developers, from the U.S. and Western Europe, focused on open-source usage, as well as research into open-source databases, providing an overview of the state of open-source vulnerabilities and the challenges developers are facing with regard to this type of software.
The report also found: Developers rely heavily on open-source components and spend a lot of time addressing vulnerabilities; the absence of standard practices and tools for prioritization and remediation of open-source vulnerabilities lead to inefficient use of time; and a solid prioritization strategy for remediation can save development teams time and money, and ensure they address the most critical issues first.
The number of disclosed open-source vulnerabilities in 2017 rose by more than 60 percent compared to 2016. The report authors attribute this increase to the software-development community’s focus on open-source security, particularly in light of front-page news stories like that of the Equifax data breach in 2017. The credit reporting company acknowledged a massive data breach in which attackers stole personal data on 143 million Americans. The source of the breach was a vulnerability in the Apache Struts Web Framework — based on open source.
The WhiteSource report also found that almost 97 percent of developers rely on open-source components.
Twenty-six percent of developers rated security as the top challenge posed by open-source components — above integration, functionality, licensing and selection. Survey respondents said that developers spend about 15 hours per month addressing open-source vulnerabilities. How they respond varies: 1 percent do nothing, more than 34 percent research the problem; 33 percent remediate based on the open-source community recommendations; approximately 13 percent remediate through patches, if available; and around 19 percent report the problem to other teams, such as security/DevOps or a manager. The point here: There’s a lack of best practices for handling open-source vulnerabilities.
On a similar note, the report found that developers often look to the most readily available data when prioritizing remediation, such as how critical the vulnerability is or the availability of a fix; however, it turns out the data that developers choose to rely on isn’t indicative of how critical the specific vulnerability is.
Finally, the report found that a prioritization strategy for open-source remediation can help developers. They can address the most critical issues first and save time and money in the process.
It’s important to note that open-source security risks will persist as we see them in a myriad of technologies; however, many organizations underestimate the impact of mitigation – and that’s a problem – as 451 Research notes.