Open source components have become an essential part of today’s software development process, helping development organizations speed up release cycles and push out innovative software faster. In fact, over 90% of the respondents to a survey recently conducted by Gartner stated that they rely on open source components. However, open source components also bring a new set of challenges and that organizations need to address in order to keep their products secure and compliant.
Gartner’s first-ever report about Software Composition Analysis (SCA) — Technology Insight for Software Composition Analysis — explains why security and risk management leaders must proactively control the open source components in their application, details the main benefits and capabilities of SCA tools, as well as the risks organizations need to look out for, and presents recommendations for using SCA tools.
According to Gartner’s research report on Software Composition Analysis, security came up as a top challenge when working with open source, with 57% of participants rating vulnerabilities as a significant challenge when working with open source. In addition, over two-thirds of their survey respondents said that they are concerned over the long term viability of open source projects. Next in the list of top challenges were deciding when to seek out commercial support, and open source licensing and compliance issues.
From the Gartner Technology Insight for Software Composition Analysis, 1 November 2019
Another challenge that the Gartner report highlights is the complex issue of open source licensing compliance. The open source licenses attached to each and every open source component vary from permissive to very restrictive. Organizations need to make sure that they are compliant with the terms and conditions of all of the open source licenses included in their code-base.
Finally, Gartner’s Report notes that mature and sophisticated organizations are also focused on a more subjective criterion for risk evaluation — the overall health and reliability of an open source project. These organizations look at different factors that might influence an open source project, like the number of contributors, the frequency of updates, the speed of vulnerability remediation, and whether the issues and fixes are publicly reported.
While the list of challenges is long, the Gartner research report found that “the use of open-source software is typically poorly understood and controlled by organizations”. Despite their concerns, nearly half of the participants in the survey replied that they do not, and will not, have a policy for the use and distribution of open source components.
From the Gartner Technology Insight for Software Composition Analysis, 1 November 2019
The Gartner survey results show that when a review and approval process of open source components is performed, it is most often done manually or on an ad hoc basis by enterprise architecture and security teams. Only 28% of the open source users that participated in the survey said that they use automated tools to manage open source usage, and a mere 16% suggested that they plan to have such a tool by the end of 2020.
The Gartner report warns that neglecting to track and manage all of the open source components in their applications is a mistake that could lead to disastrous results. First, the use of vulnerable open source components leaves organizations open to hackers who can easily exploit a known open source vulnerability to gain access to controls and sensitive data. Attempts to beat the hackers to a known vulnerability can be extremely time-consuming and expensive when the work of locating and fixing the vulnerability is done manually, rather than having a dedicated SCA tool that alerts on problematic components.
In addition, Gartner points out the business and legal risks involved in an organization not being able to produce a comprehensive up-to-date Bill of Materials (BOM), which is becoming a standard requirement among organizations.
Due to these security and legal risks, the Gartner research report strongly recommends that security and risk management leaders responsible for application security proactively understand and control the use of open source components. The report goes on to suggest that SCA tools are the best automated method for quick and accurate tracking of open source usage.
As awareness of the risks of open source usage grows, a variety of different SCA solutions have been introduced to the market, and vendors continue to develop and innovate their SCA offerings. The Gartner Technology Insight report details the benefits of tools SCA, and covers the varying capabilities of the different SCA tools out there.
Most SCA tools rely on a database of known open source vulnerabilities based solely on the National Vulnerability Database (NVD) While the NVD is the largest security vulnerabilities database, it is not the only one out there. There are additional community issue trackers and advisories that publish open source vulnerabilities that sometimes aren’t included in the NVD.
Gartner’s recommendation is to make sure that you choose an SCA tool that covers multiple vulnerabilities databases and sources, to achieve comprehensive coverage and ensure that no known open source security vulnerability is left behind.
While the detection of security issues is certainly important, it is only the first step in addressing the issue. Gartner points out that some SCA tools also offer remediation support, by offering a recommended version to update, or a patch. Some vendors even offer automated remediation of outdated and insecure open source components.
Most SCA tools offer the ability to track and report on the open source licenses attached to the components, helping organizations remain compliant and avoid open source licensing risks. The Gartner report stresses the importance of having an open source policy in place, that states which open source licenses are accepted, which are to be rejected and which ones require to be reviewed by an internal team. Advanced SCA tools can also enforce license policies automatically, including automatic initiation of approval workflows automatically the entire process and reduce developers’ involvement.
Gartner’s report states that in the next five years the provision of an up-to-date, comprehensive and detailed Bill of Materials will become a standard contractual requirement for both buyers and vendors in the next five years. While currently this practice is reserved for regulated industries, the increased reliance on open source and third-party components throughout all of the software development industry demands this type of document. This requirement will make SCA tools a must-have for all organizations, as the ability to produce a detailed inventory report covering all aspects of the open source components included in a project, including licensing and copyright, versioning, and any other relevant information manually is almost an impossible mission.
Developers are the ones choosing open source components, integrating it to the product and updating it in case an issue arises. Therefore, Gartner’s recommendation is to choose an open source management tool that can integrate with development environments, like IDE’s and repositories, along with support for remediation processes. Advanced SCA solutions for developers also offer automated workflows that include issue tracking systems and browser support for assessing open source components even before they are added to the code.
Beyond quick detection of vulnerabilities, advanced SCA tools can also accelerate the remediation process by automatically detecting newly published open source vulnerabilities, including direct and transitive dependencies.
Gartner’s report emphasizes a new capability of prioritizing detected vulnerabilities by analyzing whether a vulnerable method is actually being used in the application or not. This enables teams to invest their time wisely, remediating the issues that really matter. The right SCA tools can save organizations a lot of the valuable time and money currently spent on slow and human error-prone manual processes.
One point that Gartner’s Technology Insight for Software Composition Analysis repeatedly stresses is that organizations should invest in creating an open source policy that addresses all of the risks involved in open source usage.
When it comes to choosing an SCA solution, while the report recommends organizations should first consider tools provided by an organization’s existing testing tool provider, their bottom line is that organizations need to choose the SCA tool that answers their specific needs. Once an organization’s stakeholders’ have put together a solid open source policy, the Gartner report recommends tools that help to integrate open source management into the CI/CD toolchain, to help support a secure and efficient DevOps pipeline.
When looking for the right fit in an SCA tool, stakeholders need to make sure that the SCA solution that they choose can successfully help implement their open source policies, providing quality and security gates, and minimizing attack windows.