by Bharat Mistry
UK firms on average download 21,000 open source software components containing flaws each year. That is the headline stat from new research which reveals the escalating risks facing developers from the common practice of sharing code. As demand for such components increases, the emphasis for security teams should be on finding ways to mitigate these risks as early on in the development lifecycle as possible, via seamless, automated security that doesn’t impact app delivery.
It’s an approach that is also increasingly important in the context of the new DevOps push to microservices and containers.
Supply chain problems
The report in question, compiled from analysis of 12,000 global enterprise development companies, claims that British businesses alone downloaded an estimated 248,000 open source components last year. This practice helps to accelerate DevOps processes and speed time-to-market in a world where IT agility is paramount to stay ahead of the competition. But it also introduces major new cyber risks if the software isn’t properly vetted. Of these hundreds of thousands of components downloaded in 2018, nearly 9% contained a vulnerability – and 30% of these were critical flaws.
These are not idle concerns. Worldwide, there’s been a 71% increase in breaches linked to open source vulnerabilities over the past five years, according to the report. One of the most infamous came in Apache Struts, open source software used by credit reporting agency Equifax. The firm’s failure to patch a critical bug allowed attackers to steal highly sensitive data on over 148m customers, including more than half of all American adults. The firm is said to have paid out $1.4bn already as a result.
Amazingly, downloads of the flawed Struts component actually increased by 11% in the year following the breach, averaging 2.1m per month.
Security as code
The question for firms then becomes: “how do I mitigate these risks without impacting the speed and agility that is so important to DevOps?” The answer will require transitioning your security tools from the old world of manual, static and hardware-based to adaptive, contextual and software-based.
This is the new era of Security as Code. Look for providers that expose security features as services via APIs, making it easy to integrate key controls into the CI/CD pipeline. That enables security teams to detect vulnerabilities, enforce policies and drive compliance without impacting DevOps.
It’s particularly important in the context of hybrid cloud development based on microservices including containers. These new technologies are helping DevOps to become even more agile and innovative, but are also a source of cyber risk. Just last week a new vulnerability was discovered in Kubernetes which could allow an attacker to replace and create new files on a victim’s PC.
With Trend Micro’s Deep Security, DevOps teams can continuously scan container images for vulnerabilities and malware, from design to runtime. That’s automated security at scale optimised for your DevOps processes. Not only will it help to drive considerable security benefits, but such tools can also work to bring historically siloed IT teams together in a spirit of closer collaboration. With security seen as a partner rather than a roadblock on innovation, organisations are in a good place to drive digital transformation-fuelled growth whilst preserving the bottom line and corporate reputation from the impact of cyber incidents.