There has been a surge in open source breaches over the past five years, with just over a quarter of companies reporting a confirmed or suspected breach in the past year alone.
That’s according to Sonatype, an automated open source governance company. The Marlyand, US-based firm surveyed 5,558 IT professionals and discovered a 71% increase in open source breaches since 2014.
Open source, software for which the original source code is readily available for redistribution and modifications, is often seen as a more cost-effective solution over licenced software.
It also encourages collaboration and transparency. Consequently, open source software has been soaking up an increasing amount of IT investment – making the results of the survey particularly worrying given the prevalence of open source in enterprise applications.
“Underpinning 80 – 90% of an enterprise application, open source components have played an instrumental role in driving innovation and accelerating time to market,” said Sonatype vice president Derek Weeks.
“But with as many as 50% of downloaded components containing a known vulnerability, it is critical that organisations implement proper software governance to ensure they’re building quality – and security – into their applications from the beginning.”
How well do you really know your competitors?
Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.
Your download email will arrive shortly
Not ready to buy yet? Download a free sample
We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below formBy GlobalData
Equifax: The biggest of open source breaches
Previous Sonatype research showed how 10,000 organisations downloaded the flawed component that led to the Equifax breach.
Almost half (48%) of respondents said that while security is a priority, time is the biggest barrier to preventing open source breaches.
“Key DevOps principles including: continuous learning via collaboration, automation (CI/CD), infrastructure as code, and monitoring, help ensure effective and timely responses to any breach”, said Hasan Yasar, Technical Manager and Adjunct Faculty Member for Carnegie Mellon’s Software Engineering Institute.
“We must all recognise security is a living thing and organizations should be prepared to prevent and respond to breaches at any moment within their application lifecycle. It is difficult to imagine proper cybersecurity hygiene and sufficient preparations for a breach without DevSecOps in place.”
The survey was conducted in partnership with CloudBees, Carnegie Mellon’s Software Engineering Institute, Signal Sciences, 9th Bit and Twistlock.