How’s that deodorant of yours working? If you wanted to hear yesterday’s presentation you had to crowd in, close -- it was standing room only.
Sonatype’s Derek Weeks (@weekstweets) presented at Global AppSec DC. The conference, sponsored by the OWASP Foundation, is one of the largest gatherings in the open security community. In attendance were private and public sector infosec professionals with the shared goal of building a more secure web.
Derek’s presentation, Securing Modern Applications: The Data Behind DevSecOps, discussed the research presented in this year’s State of the Software Supply Chain report. The report, written in conjunction with Gene Kim of IT Revolution and Dr. Stephen Magill of Galois, proved a few working hypotheses about today’s open source software use, and how that impacts web security.
Surprisingly, the findings blew up some assumptions, too.
Hypothesis 1: Projects that release frequently have better outcomes
TRUE. Projects that release frequently do have better outcomes. They're five times more popular. They have 79% more developers than peers within the open source community. And, they have 12% more foundational support within these projects.
Hypothesis 2: Projects that update their dependencies more frequently are more secure
TRUE. We validated this hypothesis by examining the data: 36,000 open source software projects, 12,000 enterprise development teams, and 3.7 million open source releases. “If you see projects updating more frequently, pick those. Rely upon those components as your suppliers of the code into your enterprise and organizations,” Derek recommended.
Hypothesis 3: Projects with fewer dependencies stay up-to-date better
FALSE. “What we actually found was that components with more dependencies actually had better median times to update than their peers,” said Derek. The larger teams are usually the stronger suppliers. The study shows that larger development teams have a 50% faster median time to update (MTTU).
Hypothesis 4: More popular projects stay up-to-date compared to less popular projects
FALSE. “Our findings change the way we need to think about the software we rely upon,” said Derek. More popular projects should be better at staying up to date -- but they aren’t.
Back in 1999 the open source community accepted the idea that “with enough eyes, all bugs are shallow.” That’s not true anymore. The explosive growth of, and use of, open source software across the software supply chain makes this impossible. Now open source developers, defenders, and advocates must rely on automated security tools. The shift to security automation, coupled with AI and machine learning, is the current state of the secure web...and its future.