FEATURE : SOFTWARE
New research identifies major growth and gaps in open source adoption
Tim Mackey , Principal Security Strategist , Synopsys Cybersecurity Research Center ( CyRC ), highlights how recent research has shone a light on growth and gaps in open source adoption , while offering advice to organisations on how to create secure applications .
Open source plays a critical role in today ’ s
software ecosystem . The overwhelming majority of modern codebases contain open source components , with open source comprising 70 % or more of the overall code . One major reason for this is that with open source usage , teams can tap into expertise that they would be hard pressed to hire on as employees . And yet , as its adoption grows globally , so too do the mounting security risks posed by unmanaged , or poorly managed , open source usage . After all , you can ’ t manage , and importantly patch , what you don ’ t know you have .
A recent survey of 1,500 IT professionals working in cybersecurity , software development , software engineering and web development was conducted by the Synopsys Cybersecurity Research Center ( CyRC ) and Censuswide , an international market research consultancy . The report explores the strategies that organisations around the world are using to address open source vulnerability management as well as the growing problem of outdated or abandoned open source components in commercial software .
Survey response shows open source security is top-of-mind , but patching is too slow
Security and vulnerability to exploit of an open source component were top of mind to 50 % of respondents – cited as the primary selection criterion when vetting new open source components . With over half ( 51 %) of respondents saying that it takes two to three weeks for their organisation to apply an open source patch . And 24 % noting that it can take up to a month – even when a patch addresses a critical issue – teams are right to prioritise security during the selection phase .
Organisations using open source need to increase investments in SCA
The ability to patch any software starts with knowing that you ’ re running a version of that software . Without
www . intelligentcio . com INTELLIGENTCIO NORTH AMERICA 53