Did you know that up to 90 percent of todays applications typically consists of third-party components? And that more than 50% of top 500 global companies use open-source?
Look there's no way around it. In today's software development environment, in order to keep up with the speed of deploying new features and capabilities into the market, open-source is a critical component of any modern-web development. Even the best developers in the world use it.
"Why should developers spend hours of their day creating a feature from scratch, when there's an open-source project on GitHub they can download" - OSI board
However, when it comes to security, depending on who you ask, open source software may be perceived as more secure than proprietary software, or less secure for that same reason given that anyone can easily access it.
“There’s always a potential for cybercriminals to try and leverage openness for malicious purposes. However, we’ve found that the advantages and benefits of open source greatly outweigh this risk. We have observed that good communities are quick to respond to security vulnerabilities — contributors amass support very quickly to patch these kinds of issues. Thus assessing the health of a community is just as important as the technological merits of a particular open source project.” - Michael Cheng, Facebook PM.
This is a key point worth picking up on — community is integral to any open source project, and the number of active contributors is indicative of its overall health. But just because something is open source doesn’t mean that it is inherently more secure. If a project isn’t actively maintained and hasn’t been updated in 2 years, then it’s likely to be less secure than a proprietary equivalent that is regularly updated. As the saying goes, there's no security through obscurity — security depends on understanding what used and unused libraries are being utilized in your work and your security model.
So, what can developers do?
One of the most immediate things you can do as an individual developer is to check if any of the libraries currently being utilized are out of date. And enabling visibility into which are part of your application.
To scan your applications for vulnerable libraries use free SCA tools like Mend, Snyk, SonarQube, or CodeSec by Contrast that are simple to install and provide an immediate list of libraries that need updating at no cost.
In the case of CodeSec it also provides the simplest way for users to generate a Software Bill of Materials (SBOMs) which can then be sent to your orgs Security team keep them up to date on what libraries are being utilized in your application for free.
I encourage everyone to install one of these tools today and try out a scan. Security is not going anywhere and familiarizing yourself with what security insight looks like will be an advantage in the long run.
Free SCA Tools:
- CodeSec by Contrast: https://www.contrastsecurity.com/developer
- Snyk: https://snyk.io/product/snyk-code/
- Mend: https://www.mend.io/free-developer-tools/
- SonarQube: https://www.sonarqube.org/downloads/
Top comments (5)
Let me know your thoughts people! What's your favorite tool!
I tried to use Trivy for dependencies scans but they do not include develop-level ones.
So I am looking for an alternative like Snyk to include as part of my CD/CI workflows (with github actions)
Very timely. Thank you.
Really great post
Thanks for the great post