Developers around the world depend on open source components to build their software products. According to industry estimates, open source components account for 60-80% of the code base in modern applications.
Collaboration on open source projects throughout the community produces stronger code, squashing the bugs and catching the vulnerabilities that impact the security of organizations who look to open source components as the key to their application building success.
Thanks in part to the “thousand eyeballs” of the community, the number of reported vulnerabilities in open source projects is on the rise, spiking 51% in 2017 from the previous year.
This is even more concerning since, as shown in the same study, most vulnerabilities are found in popular projects. Data shows that 32% of the top 100 open source projects have at least one vulnerability, meaning that developers have their work cut out for them, no matter which components they are using in their products.
While it is better to know about vulnerabilities that remain in the dark, giving teams the opportunity to patch before being exploited by hackers, keeping up with the workload of remediating vulnerable components can pose a significant challenge for organisations.
The answer would appear to embrace the shift-left model that has long been associated with DevOps, extending the approach to incorporating security practices early in the software development lifecycle.
Security starts with developers, from their creation of the code through the post-deployment remediations where fixing vulnerabilities can be quite time-consuming.
According to our recent survey on challenges facing developers in using open source, respondents reported that they spend 15 hours a month on average dealing with open source vulnerabilities.
While in itself a significant chunk of time, what was surprising was that only 3.8 of these hours actually went towards the work of remediating the vulnerabilities, apparently, the rest of the time was spent trying to understand where to start in tackling the vulnerabilities.
images from Hacker News