The Component Revolution
Modern application development is largely accomplished by assembling Free and Open Source (FOSS) components. How do you know if you're using open source and if your applications are at risk?
The (Maven) Central Repository managed nearly 13 billion component requests in 2013, representing a fundamental shift from "writing" to "assembling" applications. Research shows that up to 90 percent of a typical applications is comprised of these re-usable components.
There are many reasons open source usage is on the rise: speed to market, developer productivity and the belief that open source components are safe. Eric S. Raymond, an early advocate of open source, said "Given enough eyeballs, all bugs are shallow."
Recent research by Coverity revealed that in large projects, open source is slightly safer than source code, but added that Heartbleed was also a wake up call. "This is a good indication that though many eyes might make all bugs shallow, they don't make bugs shallow fast enough. Two years is far too long for a huge vulnerability to be present, not just in a piece of open source software but one specifically designed to solve a security problem. That class of software should be the most heavily vetted by experts. It's very disappointing to me that it took so long for the defects to be found."
"The idea that lots of people are going to look at it is not enough, we need better tools, we need a better culture around code reviews, a better attitude towards what makes code quality in high security software."
Of the 3500 respondents to Sonatype's 2014 Open Source Development Survey, 33 percent reported a definite or suspected breach in an open source component in the past year. Other research shows that 77 percent of all applications contain at least one critical or moderate security vulnerability in an open source component.
A related Aspect Security study found that, in one year, there were more than 46 million downloads of insecure versions of the 31 most popular open source security libraries and web frameworks. Google Web Toolkit (GWT) was downloaded 17.7 million times with known vulnerabilities. Other popular vulnerable libraries downloaded included Xerces, Spring MVC, and Struts 1.x.
This major shift to component assembly is driving the need for much more sophisticated component management. The need to have visibility and governance across a highly complex ecosystem of components and development environments has created a challenge that current application security tools can't manage.
A new breed of management tool is needed – one that takes more inspiration from the manufacturing supply chain than from traditional application security "problem discovery" tools. And for this new breed of solution to be effective, it can't be an afterthought and it can't slow developers down.
It is these principles that inspired Sonatype's creation of an entirely new approach application security, one that secures all components throughout the software lifecycle while making it easier for developers to continue their rapidly increasing pace of development. Learn more about Sonatype Component Lifecycle Management.
See it in Action
Learn more about Component Lifecycle management. Take the Tour
What's in Your App?
Find out what vulnerabilities are in your applications. Get a free health check