Earlier today, The Wall Street Journal's Adam Janofsky wrote an article entitled, How Companies Can Manage Risks Tied to Open-Source Software*. Coverage of this topic is significant for many reasons. First and foremost, it sheds light on a topic for the executive readership of the WSJ, which has seen growing interest across developer and security communities over the years.
Following high-profile breaches that resulted from vulnerable open source components, like the incident at Equifax, this is a topic that deserves more attention at the executive and board level. As John Willis, co-author of the DevOps Handbook and VP at SJ Technologies, often remarks, "no executive wants to be Equifaxed."
To educate his readers on the subject, Janofsky:
Points to the pervasiveness of open source components being used by software developers today
Highlights the massive efficiency gains for developers, but also sheds needed light on the potential risks of using known vulnerable components; and
Calls for increased vigilance by organizations using open source components in development to ensure they are using the safe versions.
While Sonatype has long preached that software is no longer coded from scratch, but assembled from open source components, this knowledge is not widespread across CIO, CSO, and CEO communities. Their organizations have now long-benefited from the productivity that open source components afford, but highlighting vulnerabilities associated with some of those components reminds us that there are "no free puppies."
Janofsky also interviewed a few IT managers within universities, who revealed how open source components are managed and assessed within their development practices. He points to the adoption of open source governance boards, manual reviews, and tracking vulnerability disclosures in public forums. If no vigilance were in place, these would all be valiant actions to begin addressing the problem.
On Monday, Sonatype will reveal findings from its 2018 DevSecOps Community Survey. Of the 2,076 development and DevOps professionals who participated this year, 37% stated they had no open source governance policies in place. For those organizations, the baby steps recommended by Janofsky would be a good start.
Good starts won't guarantee sufficient protections though. The reality of development practices reveals that organizations consume massive quantities of open source components to accelerate development. According to Sonatype's State of the Software Supply Chain report last year, the average company consumed over 125,000 open source components, of which 1 in 18 had known security vulnerabilities. In environments operating at this scale, manual component reviews and occasional reviews of vulnerability databases can't keep pace. Automation of these practices becomes paramount at scale.
I'm thrilled that Janofsky brought executive attention to this topic, and I hope it is the first of many steps we can all take to building better software faster.
*Janofsky's article appeared in the Pro edition of the WSJ and requires a subscription to access.