Original Post from InfoSecurity Magazine
Quarter of DevOps Suffer Open Source Component Breaches
A quarter of organizations have suffered a breach related to their application development process over the past year, with most of these coming via open source components, according to Sonatype.
The DevOps automation firm’s 2020 DevSecOps Community Survey is based on responses from 5045 software professionals around the world.
It revealed that 21% of the 24% of responding organizations that reported a breach over the past 12 months linked it to use of third-party components.
These are incredibly popular among DevOps practitioners as they help to speed the release of new products, although they can also contain vulnerabilities and sometimes malware.
Interestingly, the figure for reported open source component breaches rose to 28% for those organizations with mature DevOps practices that include keeping a Software Bill of Materials (SBOM) for all components.
This could be because of cultural differences associated with finding and reporting such issues, Sonatype claimed.
“DevOps practice and thought leaders continue to suggest that mature DevOps cultures supports scenarios where information is actively sought, new information is welcomed, and bridging functional groups is a rewarded behavior,” the report added.
“Failures are not silent in mature DevOps practices, but rewarded. For mature DevOps practices, awareness is one of the best agents for driving change.”
The report also suggested that happy developers are more likely to be good for overall cybersecurity: they are 3.6-times less likely to neglect security when it comes to code quality, 2.3-times more likely to have automated security tools in place and 1.3-times more likely to follow open source security policies.
Research from Sonatype last year revealed that there had been a 71% increase in open source-related breaches over the previous five years. UK firms on average downloaded 21,000 software components known to contain vulnerabilities.
Go to Source