BUSINESS SURVEILLANCE
open source components are used and what the current patch status of each component is can be a challenge . The survey respondents indicated that only 38 % were using an SCA tool , which in addition to providing an inventory of open source usage , would help teams quickly identify outstanding patches . As to the frequency of when the patch is applied , that will be something governed by the release cycle and QA effort employed by each team .
The results also indicate that corporate adoption of SCA tooling is still at a relatively early stage . In its 2020 Market Guide for Software Composition Analysis report , Gartner notes that SCA usage is in the early stages of adoption , but that interest in SCA is growing rapidly , with inquiries to the analyst firm on the topic increasing nearly 40 % from 2019 to 2020 .
Yet , 72 % of respondent organisations state they have a published policy for open source use . This leads into the
Teams reliant upon manual efforts or honour systems are likely one incident away from a major disruption .
question around how the other 35 % who aren ’ t using SCA are managing open source to comply with their policies . Are they employing manual processes to manage open source ? Are they depending on a developer honour system that policies are being followed ? DevOps principles are based in part on automated validation of the state of a system , meaning that teams reliant upon manual efforts or honour systems are likely one incident away from a major disruption .
Media coverage plays a role in open source risk management
One finding from the research that I deem particularly surprising is that 46 % of respondents noted that media coverage around open source issues influences how their organisations manage open source risk . This caught my attention in part because most media coverage of open source issues highlights a headline-worthy component such as a vulnerability in Docker , Kubernetes or Linux , or a headlineworthy victim , such as Equifax . Such high-profile scenarios increase overall awareness of application security issues , but if a business relies on the media as their primary security news feed , then they ’ re exposing themselves to greater risk than necessary .
Media , in this regard , is reactionary . The last thing that any business leader wants is negative press stemming from a cybersecurity incident . Embracing security information flows using
64 www . intelligentciso . com