What We Learned from Studying 36,000 OSS Projects | Press Release

blog-logo Sonatype Blog

October is Cyber Security Awareness Month. Developers Are Some of Our Best Guardians.

October 21, 2019 By Katie McCaskey

October is National Cybersecurity Awareness Month (NCSAM). NCSAM is a joint effort between government and industry to raise awareness about cyber threats. This year, NCSAM highlights three areas where cyber security protections (or vulnerabilities) affect everyday Americans: citizen privacy, consumer devices, and e-commerce.

Open Source Components Affect the Security of All Consumers

A common thread in all of these consumer-facing security priorities are the building blocks of software: open source components. As developers and others in tech know, open source use is skyrocketing. Our research this year shows exponential growth in open source use. For example, in 2018, download requests for Java components grew 68% year over year to 146 billion. Downloads of npm packages reached 10 billion per week — equating to a 185% year over year.

The volume of open source component downloads mirrors the multitude of benefits they offer. Notably, component use allows for faster software production, and ultimately, faster rates of innovation as components are combined and expanded in novel ways.

BillionsJavaDownloadsHowever, the power of OSS does not come without also introducing significant risk. Open source projects have vulnerabilities. In fact, last year 51% of JavaScript packages downloaded had a known vulnerability and 10% of Java packages had a known vulnerability. Or, components could be maliciously attacked by bad actors, compromising any applications that depend on those projects.

Sonatype’s Nexus platform safeguards software supply chains around the globe. Protecting the integrity of open source software requires us to follow emerging cyber security threats, anticipate  future trends, and most importantly: develop next-generation software to combat malicious intent.

Open Source Software Underpins Everything

NCSAM is right to highlight citizen privacy, consumer devices, and e-commerce this year.

Consumers are increasingly more aware of privacy issues, especially as the world community is adjusting to GDPR, and companies are beginning to be fined as the new law is enforced.

Similarly, in 2019 device manufacturers of all kinds are stepping up their security game. The FDA, for example, proposed new CBOMs (Cybersecurity Bill of Materials) requirements. Risks increase  as devices become smarter and more interconnected.

Yet another example involves e-commerce. Shopping online -- a very popular American habit -- potentially puts financial data at risk because our shopping carts are built on open source software. That’s why, earlier this year, the PCI Security Council introduced a new security standard to make electronic payments safer.

Developers Play a Vital Role in E-Commerce Security

Large companies, like Discover, are willing to talk about how they are building systems into their development process to protect consumers’ financial data. Developers are central to the process. Actions to protect the public’s financial data must occur earlier in the SDLC.

“The PCI-DSS has all of the mandatory regulations in it,” says Sonatype’s DJ Schleen (@DJSchleen). Even so, there are specific things individual developers can do to secure financial transactions, whether developing for a company or contributing to an open source project:

1. Open the lines of communication with your Security team. Understand what the impact of PCI is to your organization and what is needed to implement and attest to it.

2. Code everything. Code infrastructure, product, security, everything. Scan all the things for vulns. Never check in any code without a work item.

3. Code your CI/CD pipeline and document the stages.

4. Write security policy tests - similar to a unit test and automated. Cross reference your GRC control standards right in the test assertions so developers can easily understand and reference compliance requirements.

5. “For the love of God produce an SBoM for every release and put it in a document repository!”

 

Tags: PCI, Everything Open Source, open source software supply chain, Open Source, open source risk management, Post developers/devops

Written by Katie McCaskey

Katie is an experienced technology writer and entrepreneur. At Sonatype, she's focused on creating and finding great content.