Open source software has cemented its place as essential for developers to push releases and updates to their own products in a fast and cost-effective manner. But as its use and necessity has increased, so too have the risks it opens organizations up to—with recent Forrester research saying that open source vulnerabilities are up 50% year over year.
Some of that balance between risk and benefit was easier to strike when developers and security pros were able to talk potential issues out in person. Conditions created by the pandemic have made that collaboration much harder.
It all begs the question: Can an open source development culture coexist with a strong security culture, especially in our current environment?
Not only is the answer yes, but the two can reinforce and strengthen one another. When security-decision making is placed in the hands of the developer as early as the design stages, everyone is asking the right questions from the get-go. And Software Composition Analysis (SCA) tools help advance that, according to Forrester in the webinar “Software Composition Analysis: Why Now?”
SCA gives developers ownership and insight into the security of the open source components that they are using. That confidence propagates across the process, building consensus on the benefits of SCA to quickly release high quality products at competitive price points. Other benefits include:
- Reduction in the time to find defects. Organizations that scan less than three times a year have flaws that persist 3.5 times longer than those who scan seven to 12 times a year, according to Forrester.
- Guards against process gaps borne of remote work. Automating analysis guards against things that might be missed simply because an employee isn’t sitting next to his colleague or can’t walk into the leader’s office to express concerns.
- Software development teams spend more time on challenging issues and innovative ones. By allowing software to identify the outliers, the development team can spend more time on remedying challenging issues rather than spending time auditing everything. They don’t have to spend time backtracking to fix issues that could have been easily identified with automated software and have more time to innovate on the product.
- Continuous education for developers helps them spot potential red flags. By seeing what poses issues in open source software components, developers can start to see trends in common characteristics that may pose issues and head them off.
For all of these reasons, security leaders should be the main champions of SCA, and the ones leading the charge to build support from key stakeholders across legal and development. To build a business case for SCA, show how the functionality that the tools provide—such as generating an accurate bill of materials for all applications and automating scanning and policy enforcement—actually accelerate the development organization’s ability to take advantage of open source while protecting the organization from security risks.
Learn more on this recent Revenera webinar with Forrester.