WatersWorks, by John K. Waters, July 13, 2016
Sonatype has just released its second annual report on managing open source components. The “2016 State of the Software Supply Chain” report is available now, and well worth reading.
Among the things I like about this report is that it’s based on the analysis of 31 billion download requests of open source software components from the Central Repository, which Sonatype manages, and that it’s the result of an analysis of the patterns and practices of more than 25,000 developers and 3,000 organizations.
The company started out as a core contributor to the Apache Maven project, which is now the largest public repository of open source Java components. That 31 billion figure represents an increase of 82 percent between 2014 and 2015, according to the company. Sonatype also introduced repository managers into the software supply chain with its Nexus products.
Easily the most disturbing revelation in this report is that defective components in the software supply chain are routinely making their way into applications, which is costing enterprises millions of dollars. In fact, 1 in 16 downloads from the repository had a known security defect, the report’s authors found, and 6.8 percent of components in use among the 25,000 applications analyzed had a known security defect.
And it gets worse: “However, because a single component may contain multiple vulnerabilities, it’s important to understand that an average application consisting of 106 components — of which 6.8% are known bad — could contain numerous unique vulnerabilities,” the report stated.
The problem here is twofold: not all components are created equal — as the report puts it, the “massive variety and volume of software components vary widely in terms of quality — and components “age and grow stale quickly.”
“Last year, the average enterprise downloaded 229,000 open source components,” the report warned. “If properly sourced and managed, open source components are a tremendous source of energy for accelerating innovation. If not, they lead directly to security vulnerabilities, licensing risks, enormous rework, and waste.”
I touched base about this particular finding via e-mail with John Matthew Holt, founder and CTO of Dublin-based Java security vendor Waratek.
“That’s an overwhelming statistic when you consider that it represents about 2 billion components downloaded with a known vulnerability,” he said. “Security risks are a fact of life and will always be with us in some form. What this statistic points to is the need to move beyond trying to ‘fix the code’ or ‘just writing better code.’ Those are not viable solutions to address all vulnerabilities.”
Holt is an enthusiastic proponent of Runtime Application Self Protection (RASP), which Gartner has defined as “a security technology built in or linked to an application or app runtime environment, and capable of controlling app execution and detecting and preventing real-time attacks.” Holt’s company makes a containerized RASP product, called Locker, which provides security monitoring, policy enforcement, and attack blocking from within the Java Virtual Machine (JVM).
“The Sonatype report points to two major Java risks that can be mitigated by RASP delivered by virtualization: known (and unknown vulnerabilities) as well as legacy code,” he said. “A RASP solution can virtually patch known vulnerabilities on a permanent basis or temporarily while you rewrite the risky code, without shutting down the app. RASP can also be used to bring out-of-date components, whether they represent a vulnerability or not, to current Java standards without having to change an app’s code. That’s important when you look at the Sonatype’s finding that 10% of components in 1,000 repositories had not been updated in five years or longer.”