Sonatype has gone public with the findings of its annual Open Source Development Survey. The study claims to be the "largest of its kind" surveying (as it does) more than 3,500 developers, architects and IT managers currently using open source.
- The Essential Guide to IT Transformation
- Consolidation: The Foundation for IT Business Transformation
- Inside Threats: Is Your Company at Risk?
- Want Information Fast or Want it Right? Learn How to Have Both
Key findings "suggest" that much of software today is now assembled from open source components and frameworks downloaded from repositories (at least 80% of the app). But the investigation also proposes that few organizations have the controls or processes to identify which components are in use, to govern their usage, or to eradicate flawed components from production applications.
An overwhelming majority (76 percent of respondents) shared that they have no control over what components are being used in software development projects, and 65% cited a failure to maintain an inventory of components used in production applications.
The firm points out that just like operating systems and databases, open-source components represent a "potentially rich attack vector" for hackers to exploit given their commonality across organizations and applications. So much so that for the first time the Open Web Application Security Project (OWASP) Top Ten list includes "using components with known vulnerabilities" as a top threat to application security at #9.
No surprise then that Sonatype is ready to spin these "findings" out as a prelude to the introduction of tools to service a new software supply chain with a new approach to application security. Or to put it in the firm's own words, "[We need a software chain that is] developer friendly and continuous to keep pace with Agile practices and address ongoing threats in real-time. Sonatype announces today the launch of Sonatype CLM, the first and only solution to secure the entire component lifecycle and the first comprehensive solution that directly addresses OWASP A9."