Already using static code analysis? Try boosting your application security program with software composition analysis to automate open source management.
Every company is becoming a software company. … Services and products in every field are becoming increasingly driven, powered and differentiated by software.
—Dino Dai Zovi, mobile security lead, Square, Black Hat 2019 conference
With application development becoming a key differentiator for many organizations, how can they support their development teams with the testing tools to reduce flaws and vulnerabilities without interfering with developers’ priorities? 451 Research’s Designing a Modern Application Security Program Pathfinder paper (sponsored by Synopsys) notes, “Organizations cannot rely on traditional network- and infrastructure-based security protections as they once did; they need to build protections into applications as well as fortify them against attack.”
Thirty-seven percent of the respondents cited in the 451 Pathfinder paper are using some form of application security testing, with the majority of those using a static application security testing (SAST) tool such as Coverity static analysis. That figure may seem low at first glance. When enterprises have in-house application developers writing code for internal and external applications, the usage rates of both dynamic and static application security testing rockets to more than 80%.
Often the foundational application security testing tool for enterprises writing code for internal and external applications, SAST tools examine proprietary source code to identify code quality and security issues, including problems such as unsafe function use, race conditions, buffer overflows, and input validation errors that allow for attacks such as SQL injection.
However, SAST tools aren’t as effective in finding code quality issues in open source software as they are with proprietary code, or in identifying open source license types or versions. With much of the code in any modern application being open source, identification and management of that open source is essential to developing secure, high-quality code. SCA can automate open source management, enabling complete, accurate open source inventories, protecting against open source risks, and enforcing open source use policies.
In 2018, 451’s “Voice of the Enterprise” Information Security study found software composition analysis (SCA) products in place in 11% of the enterprises surveyed, with another 11% of respondents saying they were planning to implement SCA in the next 12 months. Twenty-one percent of respondents in 2019 stated they now have SCA in place, with an additional 12% saying they’re currently evaluating vendor offerings.
The growth in SCA parallels the growth in open source use by development teams worldwide. Not only is every company becoming a software company; every company building software for internal and external applications is becoming an open source software company. The Synopsys Black Duck Audits team found open source in over 96% of codebases scanned in 2018, a percentage that went even higher (99%) when Black Duck Audits looked at codebases with over 1,000 files. On average, Black Duck Audits identified 298 open source components per codebase. Open source represented 60% of the code analyzed.
Because of the ubiquity of open source use, attackers see popular open source components as a target-rich environment. For example, more than 66% of active sites on the web use OpenSSL. Email servers (SMTP, POP, and IMAP protocols), chat servers (XMPP protocol), virtual private networks (SSL VPNs), network appliances, and a wide variety of client-side software all commonly use OpenSSL.
Only a handful of open source vulnerabilities—such as the Heartbleed vulnerability affecting OpenSSL—are ever likely to be widely exploited. But when such an exploit occurs, the need for open source security becomes front-page news—as it did with the Equifax data security breach of 2017, which exploited a vulnerability in the open source framework, Apache Struts.
“The Equifax breach and the overall proliferation of open source use have given SCA adoption a tailwind,” notes the 451 Pathfinder paper. “Organizations making heavy use of open source libraries typically have different versions of the same library used in different places, dated libraries and other inefficiencies. An SCA product can identify these problems, find and monitor inherent security vulnerabilities in open source libraries, and flag libraries with potential licensing issues.”
As the 451 Pathfinder paper demonstrates, smart organizations in the business of building software for internal or commercial use have implemented SAST to strengthen and protect their code. And a growing number of organizations are further bolstering their application security programs with SCA to automate open source management and protect against the potential risk of having unidentified open source components in their codebase.
Fred is a senior technical writer at Synopsys. He is a Mini Cooper fanboy and has worked for both Google and Bob Dylan at various points in his career.