Developers aren't patching open-source vulnerabilities

null

As demand for new applications has increased, developers have turned to using commercial or open source components in their software to save time and effort though new research has revealed that only 52 per cent of developers update these components once a new security vulnerability has been announced. 

CA Veracode has released new data with research conducted by Vanson Bourne that sheds light on how organisations are putting themselves at risk of a breach through using components that have not been updated. 

DevSecOps and other similar software development processes have helped improve the security of the code written by developers but in keeping up with the demands of the application economy, developers often rely on components that borrow features and functionality from existing projects and libraries. 

According to Vanson Bourne's research, 83 per cent of respondents said they use either or both commercial and open source components and an average of 73 components are used per application.  While these components help boost developers' efficiency, they come with inherent security risks

Although an average of 71 vulnerabilities per application were introduced through the use of third-party components, only 23 per cent of those surveyed reported testing for vulnerabilities in components when releasing new software.  However, this could be a result of the fact that only 71 per cent of organisations have a formal application security (AppSec) program in place. 

To make matters worse, only 53 per cent of organisations said that they maintain an inventory of all components in their applications.  The State of Software Security Report 2017 also revealed that fewer than 28 per cent of companies conduct regular composition analysis to better understand which components are built into their applications. 

Director of developer engagement at CA Veracode, Pete Chestna stressed the fact that developers need to play a greater role in the security process, saying: 

“We know that developers care about creating great code, and that means creating secure code. In order to be successful, developers need to have clarity on the security policy and the tools to measure against it. When the goal is clear and we give developers access to those tools, they are able to integrate scanning earlier into the SDLC and make informed decisions that take security into consideration. Through this, we see a marked improvement in secure software development and the resulting outcomes.” 

Image Credit: McIek / Shutterstock