Open Source Software Breaches on the Rise

March 4, 2019

Sonatype published findings from its 6th annual DevSecOps Community Survey of 5,558 IT professionals, making it the largest DevSecOps survey ever conducted. The survey, developed in partnership with CloudBees, Carnegie Mellon’s Software Engineering Institute, Signal Sciences, 9th Bit, and Twistlock, unveiled a new portrait of what organizations with elite DevSecOps programs look like in the face of accelerating attacks from bad actors.

As DevOps practices are maturing rapidly, elite organizations are automating security earlier in the development lifecycle and managing software supply chains as a critical differentiator to their competitors. The survey results revealed that organizations with elite DevSecOps programs are outperforming other enterprises by extreme margins.

Those factors include:

  • DevOps Automation - Elite DevSecOps practices are 700% more likely to have fully integrated and automated security practices across the DevOps pipeline. They also have increased feedback loops that enable security issues to be identified directly from tools.
  • Open Source Controls - 62% of respondents with elite programs have an open source governance policy in place where automation improves adherence to it, compared to just 25% of those without DevOps practices.
  • Container Controls - 51% of respondents with elite practices say they leverage automated security products to identify vulnerabilities in containers, while only 16% of those without said the same thing.
  • Training  - Organizations with elite DevSecOps practices are 3x more likely to provide application security training to developers than those organizations without DevOps practices.
  • Preparedness - 81% of those with elite practices have a cybersecurity response plan in place compared to 62% of those without DevOps practices.

“Forty seven percent (47%) of the organizations we surveyed are deploying to production multiple times a week, while the velocity of their security practices are also increasing,” said Derek Weeks, VP and DevOps Advocate at Sonatype. "The DevSecOps community has shown us that elite organizations are performing significantly less manual work, seamlessly blending security into their developers’ world, and are better prepared for remediating security incidents as they arise, when compared to their counterparts without DevOps practices.”

Other key findings from the largest DevSecOps survey ever include:

  • 24% of all respondents suspected or verified a breach related to open source components -- representing a 71% increase since Heartbleed made headlines 5 years ago.
  • 50% of elite programs produce a complete software bill of materials that’s updated regularly, while only 19% of those without DevOps practices keep this.  
  • Developers continue to believe security is important, but are unable to make it a priority.  This is the third year in a row where 48% of respondents admitted that developers feel they don’t have the time to spend on this.
  • 50% of respondents using cloud infrastructure noted they simply rely on the service provider to secure their cloud.
  • 46% of organizations without a DevOps practices do not have application level credentials encrypted, while 75% of elite DevSecOps practices do.

Terms of Use | Copyright © 2002 - 2019 CONSTITUENTWORKS SM  CORPORATION. All rights reserved. | Privacy Statement