Sonatype’s Vice-President, Derek Weeks, exposes how open source governance accelerates software innovation
“We have a responsibility to build software that’s secure,” noted Derek Weeks, VP and DevOps Advocate at Sonatype. But despite this responsibility, companies throughout the UK are continuing to build unsafe components into their applications.
Weeks explained that this has been driven by dramatic changes in software development. During the past five-six years, businesses have come under increasing pressure to move faster and be more agile, which has caused usage of open source components to surge. Today, “80 to 90% of an application is assembled from open source components”, as they can be quickly and easily downloaded in seconds.
However, this widespread use of components from unknown sources also poses challenges. Weeks revealed that one in eight open source components downloaded to repository managers by developers in the UK contained unknown security vulnerabilities – up 120% from the previous year, presenting huge risks to businesses.
Over the course of the year, UK developers also unwittingly downloaded 68,000 known vulnerable versions of Bouncy Castle components relied upon for cryptography and 40,000 vulnerable versions of Apache Struts components implicated in the breach at Equifax. In all instances, safe versions of these same components were available for developers to download.
Weeks advised: “Organisations need to have an understanding of security defects. If you’re aware of what components you’re using, and the quality of its parts, then you can make decisions on what to use in a product.”
For companies looking to develop safe and secure applications, Weeks offered further guidance:
“You have to think about how to invest in better cyber hygiene from the beginning. You need to choose what’s acceptable and put practices in place via open source governance policies – you can do this by taking steps such as downloading a component with the correct license type, and ensuring that it’s the latest versions of a component, not a version that’s nine to ten years old.
“The average component or open source project is released 14 times a year, so every year there are 14 new versions; use any component that is three years old or less to give a developer access to 42 versions of an open source project, on average, without eliminating productivity.”
When you look at open source capabilities it’s “pretty simple” to evaluate them and decide whether they are suitable. However, Weeks stresses that automation is critical. “We have seen organisations that use between 5,000 to 10,000 components; from a manual review cycle they are tracking up to 50,000 to 100,000 manual hours, which you can’t physically keep up with.”
This is why more automated tools are being used. “For example, one customer in the financial services sector had 800 components, which were approved through manual processes and highly regulated. They spent 56,000 hours a year to ensure security practices, taking 6 to 12 weeks to get an answer back to developers. In the development community, most sprints take two weeks. The manual process was working for those with patience, but the majority didn’t have any patience because of deadlines.”
Collaborate to learn
In addition to continually reviewing components and stopping flawed components from being designed in the first place, Weeks recommended addressing company culture to help promote security. “You have to create a culture to improve performance and look for opportunities to improve security and quality – everyone in the team needs to seek opportunities to improve the overall system and how it’s working. Some people can be too comfortable with their ways of doing things, but despite this, they need to collaborate to learn continuously and seek opportunities to improve the overall system.” For Weeks, this is part of adopting a DevOps mentality, which strives to remove siloes to reduce friction and enable rapid innovation.
He has seen first hand how this approach has benefited Sonatype. “When I first joined the company we had an activity where we were able to release new versions of software every three to six months, now are sprints are every couple of weeks. We have taken automation and focused on faster releases, seeing the end-to-end pipeline of what’s been achieved and collaborated better in smaller teams – allowing us to release to our customers quicker, making our employees a lot happier.
“For large organisations wanting to move to a DevOps culture, I would advise top leadership to understand what DevOps can bring while being competitive and innovative – you need to be open to risks while being relentless,” he added.
Weeks also noted that testers must ensure high quality and secure components to prevent clever hackers from being malicious – which is more than possible!
Written by Leah Alger