Intelligent CIO North America Issue 6 - Page 54



the use of a software composition analysis ( SCA ) tool , which is designed to identify open source usage , knowing where open source components are used and what the current patch status of each component is can be a challenge .
The survey respondents indicated that only 38 % were using an SCA tool , which in addition to providing an inventory of open source usage , would help teams quickly identify outstanding patches . As to the frequency of when the patch is applied , that will be something governed by the release cycle and QA effort employed by each team .
The results also indicate that corporate adoption of SCA tooling is still at a relatively early stage . In its 2020 Market Guide for Software Composition Analysis report , Gartner notes that SCA usage is in the early stages of adoption , but that interest in SCA is growing rapidly , with inquiries to the analyst firm on the topic increasing nearly 40 % from 2019 to 2020 .
Yet , 72 % of respondent organisations state they have a published policy for open source use . This leads into the question around how the other 35 % who aren ’ t using SCA are managing open source to comply with their policies . Are they employing manual processes to manage open source ? Are they depending on a developer honour system that policies are being followed ? DevOps principles are based in part on automated validation of the state of a system , meaning that teams reliant upon manual efforts or honour systems are likely one incident away from a major disruption .
Media coverage plays a role in open source risk management
One finding from the research that I find particularly surprising is that 46 % of respondents noted that media coverage around open source issues influences how their organisations manage open source risk . This caught my attention in part because most media coverage of open source issues highlights a headlineworthy component such as a vulnerability in Docker , Kubernetes or Linux , or a headline-worthy victim , such as Equifax . Such high-profile scenarios increase overall awareness of application security issues , but if a business relies on the media as their primary security news feed , then they ’ re exposing themselves to greater risk than necessary .
Media , in this regard , is reactionary . The last thing that any business leader wants is negative press stemming from a cybersecurity incident . Embracing security information flows using DevSecOps principals can help development and operations teams keep
54 INTELLIGENTCIO NORTH AMERICA www . intelligentcio . com