December 8, Synopsys announced its annual report on open-source security management and Develops practices, “DevSecOps Practices and Open Source Management in 2020”.
Put together by Synopsys Cybersecurity Research Center (CyRC), this annual report is based on an annual survey of 1500 IT professionals around the world, involved in cyber security, software development, and web development. The survey looked into the open source vulnerabilities in dealing with open source components that are outdated or not maintained.
According to another survey conducted by Synopsis, “2020 Open Source Security and Risk Analysis (OSSRA) Report”, open-source makes up more than 70% of the code in many companies. OSSRA found out that 75% of the code it audited contained open source components with known vulnerabilities. In order to deal with it, detection of the known vulnerabilities was put at the top of the priory list by the respondents.
This report reveals their struggles in tracking and managing open source risks. 51% of the respondents said that it takes two to three weeks to apply open-source patches, and only 38% said that they use automated software composition analysis tools. As to the rest of the organizations, it is estimated that open source is managed manually.
Also, 63% of the correspondents said that they have partially adopted DevSecOps, which incorporates security into DevOps. Press and media are also found to be playing an important role that triggers them to adopt strict controls on open source usage.
It also found that 47% have set a standard for the age of the open-source components they use. Among the codebase audited by Synopsis in 2019, 91% contained open-source components that were either more than four years out of date or had no development activity in the past two years.
The survey points out that there is no universally adopted application security testing tool. Although there are a number of application security testing tools and techniques out there, and despite the high adoption rate, only half of the respondents were found to be using them.
DevSecOps Practices and Open Source Management in 2020