Software powers processes in all markets and segments of industry, and third-party software has become part of virtually every development environment. It’s risky, however, to overlook the security of the microservices, source components and APIs that you’re using in your software supply chain.
Ryan Lloyd, Vice President of Products at Veracode, shares his insights on software supply chain risks and vulnerabilities and how to mitigate them.
Why is evaluating third-party software and open source libraries important?
Lloyd: The use of open source libraries allows organizations to meet the demands of accelerated development times, but with more than five million open source libraries available today and an estimated half-billion more libraries to be released in the next decade, organizations face increased exposure to vulnerabilities.
While many enterprises have developed robust testing processes for internal software applications, those programs typically don’t include security scanning on third-party and open source software. This testing is often presumed to be secure or is overlooked in application security testing, which leaves a wide-open gap in an organization’s security strategy. This is part of the reason why the software supply chain can represent tons of risk and leave organizations exposed. Every single business has this problem, and it’s getting worse over time because everything keeps getting more fragmented, more distributed and faster.
Do open source benefits outweigh the risk?
Lloyd: Open source software offers many benefits to enterprises and development teams; many development teams rely on open source software to accelerate the delivery of digital innovation. However, open source vulnerabilities pose significant risks to application security.
Open source libraries allow developers to meet the demands of today’s accelerated development times. However, they are also becoming the most popular attack vector. Organizations are going to continue to harness the power of open source code to speed up development cycles, but need application testing tools such as software composition analysis (SCA) to reduce unnecessary risk.
Is there any way to plan for the unexpected?
Lloyd: The most powerful SCA solutions allow developers to rapidly prioritize, categorize and remediate open source related issues in a low-noise environment.
For example, vulnerable methods detection technology and machine learning models within SCA can identify vulnerabilities that have been fixed by open source projects but not disclosed to the National Vulnerability Database (NVD). This vulnerable method functionality not only identifies which applications have a vulnerable component but additionally identifies whether or not an attacker can exploit the vulnerable code, saving development time by allowing developers to prioritize fixes based on risk and exploitability. Machine learning models that detect unreported vulnerabilities in near real-time are required to keep developers from unknowingly introducing vulnerabilities into their code.
What advice can you offer software developers regarding a supply chain view of software?
Lloyd: Developers should seek solutions that offer automatic generation of pull requests and remediation guidance to accelerate fixes, helping them remediate faster and eliminating open source vulnerabilities that could lead to catastrophic data breaches without costly manual processes. Application security testing that supports a broad range of languages and integrations is also important because it can increase development teams’ productivity along with creating more secure software.