March 4, 2019

Open source breaches increase 71% in five years

By Robert Scammell

There has been a surge in open source breaches over the past five years, with just over a quarter of companies reporting a confirmed or suspected breach in the past year alone.

That’s according to Sonatype, an automated open source governance company. The Marlyand, US-based firm surveyed 5,558 IT professionals and discovered a 71% increase in open source breaches since 2014.

Open source, software for which the original source code is readily available for redistribution and modifications, is often seen as a more cost-effective solution over licenced software.

It also encourages collaboration and transparency. Consequently, open source software has been soaking up an increasing amount of IT investment – making the results of the survey particularly worrying given the prevalence of open source in enterprise applications.

“Underpinning 80 – 90% of an enterprise application, open source components have played an instrumental role in driving innovation and accelerating time to market,” said Sonatype vice president Derek Weeks.

“But with as many as 50% of downloaded components containing a known vulnerability, it is critical that organisations implement proper software governance to ensure they’re building quality – and security – into their applications from the beginning.”

Equifax: The biggest of open source breaches

Credit rating giant Equifax blamed open-source software for its severe 2018 data breach in which 143 million customer records were compromised.

Previous Sonatype research showed how 10,000 organisations downloaded the flawed component that led to the Equifax breach.

Almost half (48%) of respondents said that while security is a priority, time is the biggest barrier to preventing open source breaches.

“Key DevOps principles including: continuous learning via collaboration, automation (CI/CD), infrastructure as code, and monitoring, help ensure effective and timely responses to any breach”, said Hasan Yasar, Technical Manager and Adjunct Faculty Member for Carnegie Mellon’s Software Engineering Institute.

“We must all recognise security is a living thing and organizations should be prepared to prevent and respond to breaches at any moment within their application lifecycle. It is difficult to imagine proper cybersecurity hygiene and sufficient preparations for a breach without DevSecOps in place.”

The survey was conducted in partnership with CloudBees, Carnegie Mellon’s Software Engineering Institute, Signal Sciences, 9th Bit and Twistlock.

Read more: Rise of the cyber bounty hunters: European Commission sets targets for open source hacking programme