t cht lk
organisations around the world are using to address open source vulnerability management as well as the growing problem of outdated or abandoned open source components in commercial software .
Survey response shows open source security is top-of-mind , but patching is too slow
Security and vulnerability to exploit of an open source component were top of mind to 50 % of respondents – cited as the primary selection criterion when vetting new open source components . With over half ( 51 %) of respondents saying that it takes two to three weeks for their organisation to apply an open source patch . And 24 % noting that it can take up to a month – even when a patch addresses a critical issue – teams are right to prioritise security during the selection phase .
Organisations using open source need to increase investments in SCA
The ability to patch any software starts with knowing that you ’ re running a version of that software . Without the use of a software composition analysis ( SCA ) tool , which is designed to identify open source usage , knowing where open source components are used and what the current patch status of each component is can be a challenge . inventory of open source usage , would help teams quickly identify outstanding patches . As to the frequency of when the patch is applied , that will be something governed by the release cycle and QA effort employed by each team .
The results also indicate that corporate adoption of SCA tooling is still at a relatively early stage . In its 2020 “ Market Guide for Software Composition Analysis ” report , Gartner notes that SCA usage is in the early stages of adoption , but that interest in SCA is growing rapidly , with inquiries to the analyst firm on the topic increasing nearly 40 % from 2019 to 2020 .
Yet , 72 % of respondent organisations state they have a published policy for open source use . This leads into the question around how the other 35 % who aren ’ t using SCA are managing open source to comply with their policies . Are they employing manual processes to manage open source ? Are they depending on a developer honour system that policies are being followed ? DevOps principles are based in part on automated validation of the state of a system , meaning that teams reliant upon manual efforts or honour systems are likely one incident away from a major disruption .
Media coverage plays a role in open source risk management
The survey respondents indicated that only 38 % were using an SCA tool , which in addition to providing an
One finding from the research that I find particularly surprising is that 46 % of respondents noted that media
76 INTELLIGENTCIO MIDDLE EAST www . intelligentcio . com