Open source software breaches surge in the past 12 months

A simple lack of time is blamed for a lack of security governance in open-source projects.
Written by Charlie Osborne, Contributing Writer

Security breaches related to open-source security projects are on the rise and a lack of time being made available to developers to resolve vulnerabilities is believed to be to blame.

According to Sonatype's DevSecOps Community Survey, in which over 5,500 IT professionals were asked to give their opinion on today's open-source projects and the community's security stance, open-source breaches have increased by 71 percent over the last five years.

On Monday, the open-source governance services provider said the research revealed 41 percent of executives do not implement open-source governance in their organizations, a problematic figure considering that open-source components underpin vast sections of enterprise applications and networks.

The open-source community and its projects are integral to the enterprise. Community-based technology which avoids vendor lock-in and makes use of open standards can not only be more cost-effective but can also represent the work of some of the best coders available.

See also: Cloudflare expands government warrant canaries in transparency bid

However, constraints on time do allow some vulnerabilities to slip through the net. Research conducted by Sonatype suggests that over 10,000 companies downloaded the flawed component which led to the Equifax breach which led to the theft of information belonging to over 140 million customers.

Close to half of open-source developers surveyed said they believe security must be a priority, but they "don't have enough time to spend." In addition, half of the developers surveyed who are making use of cloud infrastructures say they rely on the cloud provider alone to maintain adequate security standards.

The report does suggest, however, that progress is being made. Of those surveyed, 81 percent of companies with DevSecOps practices in place said cybersecurity response plans have been implemented, and these same groups are three times more likely to offer application security training to those involved in open-source projects.

In total, 62 percent of respondents with DevSecOps programs have open-source governance plans in place, in comparison to only 25 percent when no DevSecOps systems exist.

TechRepublic: Why businesses fear cyberattacks from ex-employees more than nation states

Another interesting element of the report is the current level of automated process implementation. Mature DevOps setups are 350 percent more likely to utilize automation in security than immature setups.


An area of improvement, however, is how cybersecurity is integrated into the DevOps pipeline. The majority of those without stable DevOps systems tend to implement security checks and tasks separately and with manual steps required; whereas mature DevOps programs are most likely to have fully integrated and automated security systems in place.


CNET: At hearing on federal data-privacy law, debate flares over state rules

"Not recognizing the importance of security in a DevOps strategy is a recipe for disaster. No matter how fast the velocity of a DevOps organization, if what they produce is not supportive of confidentiality, integrity & availability then they have failed," says Lu Cortez of Canva. "Including security in everything that is done is part of enabling the business to meet its strategic goals. DevOps needs security."

These are the worst hacks, cyberattacks, and data breaches of 2018

Previous and related coverage

Editorial standards