Connecting expert communities to the Forbes audience.What is this?
Feb 23, 2018 @ 07:15 AM
Post written by
Software developer, innovator, and entrepreneur who is most prominently known for his role as the CTO and co-founder of Sonatype, Inc.
Brian Fox Brian Fox , Forbes Councils
Software is no longer written from scratch — it’s assembled.
In fact, 80-90% of a modern application is built using open source software components. These free, packaged bits of reusable code are downloaded each year by the hundreds of billions. Every development team uses them to accelerate production and deliver new innovations. Every software application you use, at work or at home, is made up of them.
In today’s application economy, innovation is king, speed is critical and open source is center stage. While organizations are delivering software innovations at a quicker pace, one aspect of delivery is being gravely overlooked: security. Our research estimates that 1 in 18 open source components downloaded last year had a known security vulnerability. The security defects in these components are being assembled into finished goods in medical, defense, entertainment, financial services and every other industry, which leaves applications and their data, our privacy — and potentially our health — at risk.
When the innovation race is being run without proper oversight, getting to the finish line safely will require greater (and faster) care. That’s set to be a major challenge for organizations developing software under the forthcoming EU General Data Protection Regulation (GDPR).
Article 32 of the GDPR states that organizations must “implement appropriate technical and organizational measures” to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services.” When combined with Article 25, which mandates that data protection measures be implemented “by design and by default”, it’s clear that privacy and security must become ingrained in every element of IT infrastructure.
If you fail to follow these rules and known software vulnerabilities end up inadvertently helping hackers steal sensitive consumer data, you could be on the hook for seriously big fines: up to €20 million, or 4% of global annual turnover — the greater of the two.
Equifax As A Cautionary Tale
In today’s economy, data is the new oil. It’s no wonder that applications are the top attack vector for hackers — data lives within applications. With attacks on the rise, businesses can no longer afford to ignore their poor software hygiene practices.
In 2017, it took attackers three days to find their way into Equifax, in what would result in the most notorious heist of the year. Data on over 145 million British and American customers was pilfered after hackers took advantage of a known security vulnerability in the Apache Struts2 open source software component. Equifax’s breach proved catastrophic for the company, resulting in multiple C-Level departures. However, had GDPR been in place, the company’s predicament would have been even worse. Under GDPR rules, companies must notify the public within 72 hours of discovering a breach or face penalties of up to €10M ($12 million) — or up to 2% of prior year revenue — whichever is higher. Equifax’s decision to wait 40 days before notifying the public would have led to a $60 million fine on top of the reputational damage it incurred.
Hardwiring Security From The Beginning
To avoid an Equifax-like fate and ensure GDPR compliance, appropriate safeguards must be put in place across the entire software lifecycle. Just as development practices have accelerated, so have the safeguards. Where tollgate types of compliance were once the norm, automation is now being used to apply high-speed guardrails within software development practices to keep innovation moving at the right pace.
The Value Of Embedded Intelligence
How can developers stay GDPR compliant and continue to deliver competitive innovations in a secure manner? In short, by embracing DevSecOps principles aimed at building in quality. In DevSecOps practices, governance and compliance guardrails are embedded early and throughout the software development lifecycle. Once manual reviews of component governance have been automated, developers will have transparent access to digital guardrails integrated with their own native tools — an approach that ensures security is being built in without slowing developers down.
The digital guardrails exposed to developers surface component intelligence instantly, telling them which components are good and which ones have security defects. When defects are flagged, developers are guided through remediation with automated intelligence that helps to identify safer component alternatives to use. These instant feedback loops detailing good or bad components have been shown to increase developer productivity by as much as 48% (registration required).
Today’s DevSecOps solutions deliver embedded analysis and intelligence across the entire software supply chain. Over time, this approach ensures developers procure the best open source components from the best suppliers, while continuously tracking components across the entire lifecycle.
The application economy can grow and prosper in regulated environments if it’s managed properly. Organizations that embrace DevSecOps practices across their software supply chains will not only accelerate innovations but will also stay secure, compliant and competitive.