Employees use open source applications in organizations of all sizes and across all industries, and this trend shows no signs of slowing down. It is both cost effective and efficient to incorporate source code into software during the development stage. With all those extra resources, developers can focus more on the organization’s proprietary code.

According to a GitHub survey, 94 percent of respondents reported using open source applications at least occasionally, while 81 percent used them frequently. In fact, 82 percent of developers said their employers accepted the use of open source software, and 84 percent were encouraged to use open source code in their applications.

Sign up for a Free Trial of IBM Application Security on Cloud

Striving for Continuous Delivery and Security

Despite the cost- and time-saving benefits, open source components come with liabilities in their licensing agreements. Additionally, about 1 in 16 open source download requests is for a component that contains a known vulnerability.

With waterfall-based development cycles, the pain of vulnerable open source components was evident, but not as crucial as it is today. Agile development cycles are fast and assume that with each sprint, a usable and safe product can be released to the market. How can this need for a continuous and agile development process be synced with the necessity to keep one’s solution perpetually safe from open source vulnerabilities?

Figure 1: Comparing the traditional, uncoordinated service delivery life cycle with the modern method of continuous application security testing (Source: Forrester, May 3, 2016. Amy DeMartine — “Gear Up for Modern Service Delivery.”)

Detecting Vulnerabilities During Development

But what about open source code, which is now more common in organizations’ product code than proprietary code? In the February 2017 Gartner Magic Quadrant for Application Security Testing report, analyst firm Gartner stated, “By 2019, 80% of application security testing vendors will include software composition analysis in their offerings, up from 40% today.” (This report is licensed by IBM and available here.)

That represents 40 percent growth in just two years. What does it mean for you, the client, to have software composition analysis (SCA) offered as part of the regular application security offering, alongside static analysis security testing (SAST), dynamic analysis security testing (DAST) and interactive application security testing (IAST) solutions? Mainly, Gartner’s prediction suggests that you will probably be able to leverage one vendor’s portfolio of solutions to test your application, whether legacy, modern, mobile or composite.


Figure 2: Types of Application Security Testing Tools (Source: Forrester, Aug. 7, 2017. Amy DeMartine — “Vendor Landscape: Application Security Testing.”)

Three Steps to Prevent Vulnerabilities From Getting Into Your Code

Nowadays, application security tools will intervene in the software development life cycle (SDLC) as soon as they can. At best, they will be tied to the organization’s build tool and will fail the build if they contain vulnerable components or at least notify the release manager of all vulnerable components.

For development managers and chief security officers (CSOs), such day-to-day practices can achieve five out of six DevOps security imperatives: automation, speed, coverage, detection and remediation.

But what about the sixth imperative, prevention? This is where future best practices would come into play, empowering your developers to prevent vulnerable open source components from getting into your code. To accomplish this, security leaders should take the following steps:

  1. Define open source policies to be enforced automatically. At best, your SCA tool will empower you to set policies on pretty much anything. Examples of items that you might want to enforce include severity of security vulnerabilities, licensing groups, bug ratings and library ages.
  2. Empower your developers to download only secure components. Use a browser extension to alert developers on vulnerable open source components before they download them.
  3. Leverage the crowd’s wisdom to implement policies that similar organizations have already implemented. It could be the policies of development groups from similar verticals, such as health care and financial services. It could also leverage the implemented policies of similar-sized organizations. Learn from the experience of others to proactively keep security vulnerabilities out of your code.

Bringing it All Together

Continuous delivery and security of composite applications will soon become your day-to-day practices. Be sure to claim the next step’s best practices — the ultimate shift-left capabilities that empower your developers and prevent security vulnerabilities from getting into your code.

To learn more about the value of open source application security testing for your organization, consult our infographic. You can also take advantage of our complimentary trial of IBM Application Security on Cloud, featuring IBM Open Source Analyzer.

Sign up for a Free Trial of IBM Application Security on Cloud Today

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today