Let me open your eyes to a tidal wave of change that has already flooded the development organizations across Financial Services and other industries:
“Software applications are no longer coded from scratch. They are assembled from building blocks — commonly known as open source components.”
This is not a prediction about a tidal wave to come. The wave is already on shore. In 2013, developers downloaded 13 billion open source components from the Central Repository — one of the largest web repositories for components. Why is this happening? Simple, it speeds development. Time to production is a critical objective for developers and operations, and building blocks are simply easier to work with than coding everything from scratch. Today, 90% of a typical application is composed of open source and third party components. Component-based development is a good thing for the financial services industry, but it does not come risk free.
First, allow me to share some simple facts:
- In 2013 there were 46 million downloads of vulnerable components from the Central Repository.
- There are approximately 18 million developers worldwide.
- This means every developer on the planet downloaded an average of 2.5 vulnerable components last year.
And to make this matter real, these components make it into production applications everyday. The applications that run critical business systems for large fortune 500 companies. The applications you use for online banking, for investment tracking, for managing insurance claims, and so on. In fact, in Sonatype’s Open Source Software Survey, our data indicated ‘71% of applications contain one or more critical or severe vulnerability.’
To ease your mind some, you should know the risk associated with the use of open source components in financial services has not gone unnoticed. In 2013, the Financial Services Information Sharing and Analysis Center (FS-ISAC) published a report detailing appropriate security controls types for third party service and product providers. One of the three “control types” detailed in the report addressed open source libraries and components. Here are two brief excerpts from that report:
“Control Type 3…is included as a control because it represents how the supply chain is feeding internal software development processes within financial institutions today . The majority of internal software created by financial services involves acquiring open source components and libraries to augment custom developed software . The Central Repository (formerly Maven Repository) is one of the largest open source code repositories . Open source code is available freely and reviewed by many independent developers, but this does not translate into software components and libraries free from security vulnerabilities”.
“When application developers seek to build new functionality to meet business needs, they turn to open source libraries for access to components that dramatically improve the time to market of their delivery . The most appropriate type of control for addressing the security vulnerabilities in open source, including older versions of the open source, is one that addresses vulnerabilities before the code is deployed—i .e . by applying policy controls in the acquisition and use of open source libraries by developers. Therefore a combination of using controlled internal repositories to provision open source components and blocking the ability to download components directly from the internet is necessary for managing risk . In fact, Gartner recommends that “if open source is used, ensure that the frameworks and libraries used are legitimate and up-to-date, and that the compiler used hasn’t been compromised.”
Sonatype is already addressing the needed features to apply lifecycle management controls for open source components. As Sonatype CEO, Wayne Jackson shares, “Our mission is relatively simple. We just want to help developers make better decisions about the components they integrate into their software projects, and to help them keep those projects secure over time.”
Watch the full video, http://youtu.be/9I_g_VKey3E.
We’re excited to see this mission also reflected in the FS-ISAC guidelines outlined in their recent report ‘Appropriate Software Security Control Types for Third Party Service and Product Providers‘. Combining the controls recommended for financial services firms as well as the addition of A9 to the OWASP Top 10, ‘using components with known vulnerabilities’, its time to put this on your priority list. Don’t wait till your CISO comes to you with a question about where and how you’re using 3rd party components with known vulnerabilities, start incorporating policy enforcement during the development lifecycle now.