Intelligent CIO North America Issue 6 - Page 55

FEATURE : SOFTWARE pace with the constantly evolving threat landscape . Automation of AppSec tooling then provides a prime source of security information about any weaknesses in the software powering a business – but only if that information is shared amongst the teams involved in the lifecycle of that software .
A growing problem in the open source community around project sustainability
The 2020 Open Source Security And Risk Analysis ( OSSRA ) Report showed that 91 % of codebases audited in 2019 contained open source components that were either more than four years out of date or had no development activity in the past two years . the highest adoption rate is still only utilised by less than half of respondents .
Summing it up
The key to creating secure applications is a cohesive and comprehensive testing process that extends from the beginning of the design phase , all the way through development and into deployment and production . And as the pace of software development and innovation continues to increase , it is important to recognise that open source technologies are part of that success . They enable teams to focus on creating unique and valuable
Tim Mackey , Principal Security Strategist , Synopsys Cybersecurity Research Center ( CyRC )
This speaks to a situation where either the component used was abandoned by the author and associated community , or that when the component was adopted , the origin point for the component wasn ’ t properly vetted to ensure that it was under active development .
While an argument can be made that for some components they are functionally complete , this is different to being properly secured against the current threat landscape . To properly address this , consumers of open source components need to look at how projects are being sustained ; because if a security issue arises , it can be difficult to get the issue fixed when no-one is looking at the code .
Security risks increase when obsolete code is deployed , including the threat of an open source component being hijacked . Such a situation occurred in 2018 when the event-stream component was hijacked to target Bitcoin in Copay accounts . Without policies in place to identify and manage the risks that legacy open source can create , organisations open themselves up to the possibility of issues in the software .
No universally adopted application security testing tool
And one element to support such policies involves tooling . Survey responses note that there is no universally adopted application security testing tool . Responses to the survey questions also indicate that there is no shortage of application security testing tools and techniques . However , even the AST tools with solutions while tapping into domain expertise in areas that aren ’ t core to their business .
Properly managing that relationship should be a key priority and I find it promising that 63 % of survey respondents reported that they are incorporating some measure of DevSecOps principles into their software development practices . This is certainly a step in the right direction . p



www . intelligentcio . com INTELLIGENTCIO NORTH AMERICA 55