In August 2022, the Enterprise Strategy Group (ESG) released “Walking the Line: GitOps and Shift Left Security,” a multitenant developer security research report that examines the current state of application security. The report’s main finding is the prevalence of software supply chain risks in cloud applications. Jason Schmidt, general manager of the Synopsys Software Integrity Group, echoed this, saying, “As organizations become witnessing the level of potential impact that a software supply chain vulnerability or breach can have on their business through high-profile headlines, prioritizing a proactive security strategy is now a fundamental business imperative.”
The report shows that organizations are realizing that the supply chain is more than just a dependency. These include development tools/pipelines, repositories, APIs, Infrastructure as Code (IaC), containers, cloud configurations, and more.
While open source software may be the initial challenge in the supply chain, the shift to cloud-based application development is causing organizations to worry about risks to additional nodes in their supply chain. In fact, 73% of organizations reported that they “significantly increased” their software supply chain security efforts in response to recent supply chain attacks.
Respondents to the report’s survey cited adopting some form of strong multifactor authentication technology (33%), investing in application security testing controls (32%) and improving asset discovery to update their organization’s attack surface inventory (30%) as key security drivers. initiatives they implement in response to supply chain attacks.
Forty-five percent of respondents named APIs as the most vulnerable area of their organization to attack today. Data storage repositories were rated the most at risk by 42%, and application container images were rated the most susceptible by 34%.
The report shows that the lack of open source management threatens the compilation of SBOM.
The survey found that 99% of organizations are either using or plan to use open source software within the next 12 months. While respondents have many concerns about the maintainability, security, and reliability of these open source projects, their most cited concern relates to the extent to which open source is used in application development. Ninety-one percent of open source organizations believe that their organization’s code is – or will be – 75% open source. Fifty-four percent of respondents cited “a large percentage of open source software” as a problem or issue with open source software.
Synopsys research also found a correlation between the extent of open source software (OSS) use and the presence of associated risk. As the scale of OSS usage increases, its presence in applications will naturally increase as well. The pressure to improve risk management in the software supply chain has come into focus software bill materials (SBOM). But with the rise of OSS use and lackluster OSS governance, compiling an SBOM is becoming a challenge—and 39% of ESG survey respondents cited OSS use as a challenge.
OSS risk management is a priority, but organizations lack a clear delineation of responsibilities.
The survey indicates that while the focus on open source fixes following recent events (such as the Log4Shell and Spring4Shell vulnerabilities) has led to a significant increase in OSS mitigation activities (73%, which we mentioned above), the side responsible for these mitigation efforts remain unclear.
A clear majority DevOps teams view OSS management as part of the developer role, while most IT teams view it as the security team’s responsibility. This may well explain why organizations have struggled to get OSS right for a long time. The survey found that IT teams are more concerned about the source code of OSS than security teams (48% vs. 34%), which highlights the role of IT in properly maintaining OSS vulnerability patches. Especially since IT and DevOps respondents (49% and 40%) see identifying vulnerabilities before deployment as the responsibility of the security team.
Developer capabilities are growing, but a lack of security expertise is a challenge.
The “shift to the left” was a key factor that shifted the responsibility for security to the developer. This shift was not without challenges; although 68% of respondents cited developer support as a high priority in their organization, only 34% of security respondents actually felt confident that development teams were taking responsibility for security testing.
Issues such as overloading development teams with additional tools and responsibilities, stifling innovation and speed, and gaining oversight of security efforts appear to be the biggest obstacles to developer-led AppSec efforts. The majority of security and AppDev/DevOps respondents (65% and 60%) have policies that allow developers to test and patch their code without interacting with security, while 63% of IT respondents said their organization has policies that require security team participation developers.
About the author
Mike McGuire is a Senior Solutions Manager at Synopsys, where he focuses on risk management in the open source software supply chain. After starting his career as a software engineer, Mike moved into product and market strategy roles as he enjoys interacting with the customers and users of the products he works on. Leveraging his years of experience in the software industry, Mike’s primary goal is to connect the complex challenges of the AppSec market with Synopsys solutions for building secure software.