Report: Open source breaches have increased by 71 percent

A report from Sonatype highlights that open source breaches have increased by a whopping 71 percent along with several other security findings.

This report is the largest DevOps survey conducted by Sonatype with 5,558 people sharing their views. Participants were from most of the major sectors but primarily in the technology and banking/financial industries.

Respondents’ primary reason for implementing security across the development lifecycle is for risk management (34.77%) purposes, followed by improving the quality of code (24.75%). Compliance requirements (23.42%) was just behind.

48 percent of developers this year report that security is important but they don’t have enough time to spend on it. This is the same as the previous year, although down from 50 percent in 2017 which indicates developers are still feeling time-constrained.

The report quotes Lu Cortez from graphic design website Canva:

“Not recognising the importance of security in a DevOps strategy is a recipe for disaster. No matter how fast the velocity of a DevOps organization, if what they produce is not supportive of confidentiality, integrity, and availability then they have failed. Including security in everything that is done is part of enabling the business to meet its strategic goals. DevOps needs security.”

Over 85 percent of modern applications use open source components; in part due to the aforementioned time constraints. Developers are opting to use pre-existing code rather than write their own.

A concerning 47 percent of DevOps organisations do not maintain a complete record of what components are used in their applications. Of those with an ‘elite’ DevOps practice – 38 percent report third-party components as being ‘locked down’, 36 percent have ‘some standards’, and 26 percent have ‘no standards’.

In 2014, 14 percent suspected or verified a security breach related to an open source component. This year, that grew to one in four.

There’s an interesting discrepancy between large (more than 5000 developers) and small (less than 100) development teams when it comes to security policies. For small teams, over 60 percent don’t believe their security policies are slowing development. With large teams, almost 53 percent believe they are.

Fortunately, the majority have a cybersecurity incident response plan in place. 81 percent for those with elite DevOps practices. This drops to 63 percent for those without a DevOps practice in place.

You can download a copy of the full report here.

(Photo by Cristina Gottardi on Unsplash)

Interested in hearing industry leaders discuss subjects like this and sharing their experiences? Attend the Cyber Security & Cloud Expo World Series with upcoming events in Silicon Valley, London, and Amsterdam to learn more.

Rojenx is a leading concept artist who work appears in games and publications

Check out his personal gallery here

This site uses Akismet to reduce spam. Learn how your comment data is processed.