{"id":15217,"date":"2021-02-15T18:40:21","date_gmt":"2021-02-15T13:10:21","guid":{"rendered":"https:\/\/cigniti.com\/blog\/?p=15217"},"modified":"2021-02-15T18:40:21","modified_gmt":"2021-02-15T13:10:21","slug":"opensource-risk-engineers-empowered","status":"publish","type":"post","link":"https:\/\/www.cigniti.com\/blog\/opensource-risk-engineers-empowered\/","title":{"rendered":"Manage Open Source Risk but keep Engineers Empowered"},"content":{"rendered":"
One of the major challenges faced by d<\/span>evelopers<\/span>\u00a0is to create a unique, customized, and compelling customer\u00a0<\/span>experience<\/span>\u00a0quickly.<\/span>\u00a0<\/span>As a result, they no longer write all their own code to solve every problem.<\/span>\u00a0<\/span>Instead, they assemble, configure, and automate their code and often rely on common open source<\/span>\u00a0<\/span>components to quickly add application functionality.\u00a0<\/span>\u00a0<\/span><\/p>\n One recent study showed a 21% year-over-year<\/span>\u00a0<\/span>increase in the average number of open source components across the study\u2019s evaluated codebase.<\/span>\u00a0<\/span>However, these same critical open source components continue to present a risk to businesses.<\/span>\u00a0<\/span><\/p>\n The State of Open Source Consumption<\/span><\/b>\u00a0<\/span><\/p>\n According to the latest report written by\u00a0<\/span>Gordon\u00a0<\/span><\/i><\/b>Haff<\/span><\/i><\/b>, a technology evangelist at\u00a0<\/span>Red Hat<\/span><\/i><\/b>, on the State of enterprise open source,\u00a0<\/span>\u201c<\/span>95% of respondents say open source is strategically important<\/span><\/i><\/b>.<\/span>\u201d<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n The survey of 950 IT leaders was commissioned by\u00a0<\/span>Red Hat<\/span><\/i><\/b>\u00a0to better understand the unique role of enterprise open source. Interestingly, the respondents are unaware that\u00a0<\/span>Red Hat<\/span><\/i><\/b>\u00a0was the sponsor of this research.<\/span>\u00a0<\/span><\/p>\n As part of this survey,\u00a0<\/span>\u201c<\/span>77% of respondents agree enterprise open source will continue to grow. They believe that the growth of open source software will come at the expense of proprietary software. Respondents cite security and cloud management tools as top uses of enterprise open source<\/span><\/i><\/b>.<\/span>\u201d<\/span>\u00a0<\/span><\/p>\n The benefits they believe to attain from enterprise open source are \u2013\u00a0<\/span>\u00a0<\/span><\/p>\n The report further adds,\u00a0<\/span>\u201c<\/span>63% of IT leaders have a hybrid cloud infrastructure today. Among those who don\u2019t, 54% plan to have one within the next 24 months<\/span><\/i><\/b>.<\/span>\u00a0<\/span>And 83% of IT leaders say enterprise open source has been instrumental in their organization\u2019s ability to take advantage of cloud architectures<\/span><\/i><\/b>.<\/span>\u201d<\/span>\u00a0<\/span><\/p>\n The common perception is that hybrid cloud architectures and enterprise open source will enable digital transformation.<\/span>\u00a0<\/span><\/p>\n The Risk involved with Open Source<\/span><\/b>\u00a0<\/span><\/p>\n Open Source Security refers to the risks developers and security teams are facing today when running third-party, open source code in their applications, and the processes, methodologies, and tools they are deploying\u00a0<\/span>to<\/span>\u00a0mitigate them.\u00a0<\/span>\u00a0<\/span><\/p>\n Recent attacks exploiting vulnerabilities in open source code have exacted huge costs from\u00a0<\/span>enterprises<\/span>, highlighting the criticality of Open Source Security and the need to execute and monitor related security strategies.<\/span>\u00a0<\/span><\/p>\n Open source risk is growing<\/span>\u00a0exponentially<\/span>.<\/span>\u00a0<\/span>Senior Infosec Architects need a 360-degree view of application security issues across the custom code and open source components before it is pushed through to the QA team.<\/span>\u00a0<\/span><\/p>\n Open source is powering the digital transformation we are witnessing today and is used by companies of all sizes,\u00a0<\/span>across<\/span>\u00a0all industry verticals. Yet it also comes with risks.\u00a0<\/span>Developers are pulling in vast amounts of open source dependencies without any security control or visibility.<\/span>\u00a0<\/span><\/p>\n Acknowledging these risks is an important first step but should be followed up with investment and maintenance of a well-articulated Open Source Security plan that includes\u00a0<\/span>continuous security testing<\/span><\/a>\u00a0and monitoring.<\/span>\u00a0<\/span><\/p>\n Why Software Composition Analysis is a \u2018Must Have\u2019<\/span><\/b>\u00a0<\/span><\/p>\n Software Composition Analysis, commonly referred to as SCA,\u00a0<\/span>is a segment of the application security testing (AST) tool market that deals with managing open source component use.<\/span>\u00a0Today\u2019s software products rely heavily on open source components.\u00a0<\/span>\u00a0<\/span><\/p>\n Forrester<\/span><\/i><\/b>\u00a0states that, \u201c<\/span>1 in 8 open source components contain a known security vulnerability. Unfortunately, Security & Development teams are struggling to find and fix them without slowing down development. In order to keep up, your company needs the right SCA solution<\/span><\/i><\/b>.\u201d<\/span>\u00a0<\/span><\/p>\n One of the main functions of Software Composition Analysis tools is to identify open source components with known vulnerabilities. Good SCA solutions will not only tell you what open source libraries have known vulnerabilities, they will also tell you whether your code calls the affected library and suggest a fix when applicable. The solution should also identify open source libraries in your code base that need to be updated or patched.<\/span>\u00a0<\/span><\/p>\n Ideally, the SCA customers\u00a0<\/span>may<\/span>\u00a0look for\u00a0<\/span>providers that \u2013<\/span>\u00a0<\/span><\/p>\n How can we solve the problem?<\/span><\/b>\u00a0<\/span><\/p>\n To address the current threat landscape, one need not strive for perfection but should keep moving forward. There is a need for enterprises to adopt a mature SCA security model that includes detection, prioritization, and remediation. By having a matured SCA security model, the security professionals and developers can focus on other priorities.<\/span>\u00a0<\/span><\/p>\n As put forth by\u00a0<\/span>Gartner<\/span><\/i><\/b>\u00a0analyst\u00a0<\/span>Neil MacDonald<\/span><\/i><\/b>, \u201c<\/span>Perfect security is impossible. Zero risk is impossible. We must bring continuous risk and trust-based assessment and prioritization of application vulnerabilities to\u00a0<\/span><\/i><\/b>DevSecOps<\/span><\/i><\/b>.<\/span>\u201d<\/span>\u00a0<\/span><\/p>\n A mature SCA tool\u00a0<\/span>may<\/span>\u00a0include technologies that prioritize open source vulnerabilities. Enterprises\u00a0<\/span>can<\/span>\u00a0prioritize these open source vulnerabilities by automatically identifying the security vulnerabilities that present the bigger risk.<\/span>\u00a0<\/span>\u00a0<\/span><\/p>\n After prioritization, it is\u00a0<\/span>equally\u00a0<\/span>imperative to remediate these vulnerabilities automatically<\/span>. Based on the security vulnerability policies triggered by vulnerability detection & severity, automated remediation workflows can be initiated. A good SCA solution helps you keep your open source components continuously patched to avoid being exposed to known vulnerabilities.<\/span>\u00a0<\/span><\/p>\n The main challenge in today\u2019s complex digital world lies in securing your application. With the right Software Composition Analysis solution, you are one step closer to mitigating your open source risk.\u00a0<\/span>\u00a0<\/span><\/p>\n Cigniti invites you to join an interesting webinar where Rajesh\u00a0<\/span>Sarangapani<\/span>, Head of Innovation & Practice at Cigniti will be joined by\u00a0<\/span>Mitun<\/span>\u00a0<\/span>Zavery<\/span>, Director Pre-Sales Engineering,\u00a0<\/span>Sonatype<\/span>\u00a0to discuss how enterprises need to secure not just the code they write, but also the code they consume from open source projects. The session will help the attendees understand the state of open source consumption and the risks involved with it. They will also get an understanding on why Software Composition Analysis is a \u2018must have\u2019 and how<\/span>\u00a0can<\/span>\u00a0the open source challenges be dealt with.<\/span>\u00a0<\/span><\/p>\n Register for the webinar<\/span><\/a>\u00a0<\/span>and save your spot to listen\u00a0<\/span>to some interesting insights\u00a0<\/span>on Feb 24th, 2021.\u00a0<\/span>\u00a0<\/span><\/p>\n Being a global leader in independent\u202f<\/span>quality engineering\u202fservices<\/span><\/a>, Cigniti is a strong advocate of Quality Assurance and its implementation right from the early stages of the software lifecycle.\u202fWe\u202fencourage customer feedback and believe in including such feedback in\u202four\u202fbroader testing approach. We take great measures to ensure that we are fully equipped with state-of-the-art services and have partnered with other experts that specialize in providing testing services.<\/span>\u202f<\/span>Talk to us<\/span><\/a>.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"\n
\n
\n