Cloud Foundry’s North America Summit is around the corner, and as sponsors and partners, we are super excited. Building on our State of Open Source Security report from late February, here is a list of six themes we recommend looking out for when building your talks/sessions agenda or planning your expo walk.
(Why six? Well, frankly, because Avengers: Endgame is almost here, so as MCU geeks we decided to pick one theme per infinity stone.)
Reality: Open source keeps eating software
We tracked growth in indexed packages (2018 vs. 2017) and found the fastest growth at Maven Central with 102%, PyPI with 40%, npm with 37%, and NuGet with 26%. In terms of absolute numbers, npm reported 304 billion downloads for 2018.
Our recommendation: look for talks that provide insight into making the most of open source at scale, such as this one from Comcast’s Charlie Baum.
Soul: Bigger means more vulnerable
We identified 88% growth over two years for application vulnerabilities coming from open source code. Specifically, in 2018, vulnerabilities for npm grew by 47%, for Maven Central by 27%, and for PHP Packagist by 56%. On the OS level, in 2018 we tracked over four times more vulnerabilities found in RHEL, Debian and Ubuntu as compared to 2017.
Critical for developers building apps using open source is the finding that 78% of vulnerabilities are found in indirect dependencies, i.e., libraries hidden within layers of the projects being leveraged.
Our recommendation: look for talks that focus on data-driven development, such as this one from Charles Schwab’s Henri van den Bulk and Jayson Go.
Space: Containers are awesome, but come with new problems
While open source is eating software, containers are eating infrastructure. We found that each of the top-10 most popular default docker images contains at least 30 vulnerable system libraries. Luckily, we also know that 44% of scanned docker images can fix known vulnerabilities by updating their base image tag.
Our recommendation: look for talks that provide an insight into scalable, automated and secure implementations of containers, such as this one from Comcast’s Sergey Matochkin.
Time: After identifying risk, mitigation is slow and partial
Knowing the risk is just the first step. We found that 37% of open source developers don’t implement any sort of security testing in the pipeline, and that 54% of developers don’t do any Docker image security testing. Furthermore, the median time from when a vulnerability was added to an open source package until it was fixed was over two years.
Our recommendation: look for talks about mitigation and adaptation strategies throughout the software lifecycle, such as this one from Dynatrace’s Michael Villiger, or, conversely, this one from VMware’s Mirah Gary.
Power: Increasingly, the buck stops with developers
Most open source projects are maintained by volunteers doing their very best. While security awareness is improving, still only a third of maintainers polled considered themselves to have high security knowledge. It may not come as a surprise, then, that 81% of users polled feel developers are responsible for open source security, and that 68% of users feel that developers should own the security responsibility of their Docker container images.
Our recommendation: look for talks that focus on empowering developers to own more of the security of their app, such as this one from Liberty Mutual’s Jai Schniepp, or this one from EngineerBetter’s Colin Simmons.
Mind: The good news is that we are all moving forward
2018 has seen promising growth in segments such as software composition analysis, pipeline security, container security and other related areas—new projects, new products, new capabilities.
In the second half of 2018 alone, Snyk opened more than 70,000 Pull Requests for its users to remediate vulnerabilities in their projects automatically. We provided this capability on the back of our Vulnerability Database, which tracks approximately 70% more vulnerabilities than any CVE/NVD and public vulnerability databases. In addition, in 2018 alone, 500 vulnerabilities were disclosed to the relevant communities by Snyk’s dedicated research team.
Our recommendation: obviously, come by booth S8 at Cloud Foundry Summit to tell us how your developers currently secure their Cloud Foundry code. We can share how Snyk’s Buildpack and Droplet integrations for Cloud Foundry distributions and new integrations for PKS help our users automate their open source security within their Cloud Foundry flow.
