Open Source Development and Application Security Analysis [New Series]By Adrian Lane
Earlier this year I participated in the 2014 Open Source Development and Application Security Survey, something I have participated in the last couple years. As a developer and former development manager – and let’s face it, an overtly opinionated one – I am always interested in adding my viewpoint to these inquiries, even if I’m just one developer voice among thousands. But I have also benefitted from these surveys – looking at the stuff my peers are using, and even selecting open source distributions based on these shared data points. Crazy, I know, but it’s another way to leverage the community.
But I am equally interested in the survey questions asked, as they hint at what the sponsors are most interested in learning about their community. The organization that conducts this survey is Sonatype, and the 2014 survey was their 4th annual review of open source usage. This year’s survey was co-sponsored by Contrast Security, Rugged Software, NEA, and the Trusted Software Alliance. What piqued my interest is that this year is that I noticed more questions regarding security and vulnerabilities than in previous years. Even the name of the survey changed.
But another interesting facet is that the survey was conducted right when OpenSSL’s Heartbleed vulnerability was discovered. It takes a lot for a security vulnerability to make mainstream news, but Heartbleed managed it. For any of you reading this who were not aware of it, OpenSSL is an open source implementation of the SSL protocol. The disclosure simultaneously illustrated that open source components are in use just about everywhere – across industries and organizations of all sizes – and disrupted IT practitioners’ blind faith in this ubiquitous cryptographic module. But Heartbleed is not the story here – the more interesting thing is how it affected people’s understanding of open source software and security. My question was “Did the vulnerability change the survey results?”
In past years Sonatype provided us with a pre-briefing before they announced the survey results, and this year was no different. And after going through the survey myself I was extremely interested in the results. As we went through the data and discussed what it all meant, Sonatype said they were interested in getting someone to perform an independent analysis of the data. You don’t have to ask me twice – I jumped at the chance! As a security practitioner who has built software and managed development teams for a couple decades, I could offer some perspective. And we are beginning to see changes in developer attitudes and participation with security, not to mention a disruption of development approaches with DevOps, so I am eager to go through the data to better understand what developers are doing and what issues they face – in both security and product development. So over the next couple days I will discuss the results, with a focus on two key areas:
Security Trends Analysis: The survey poses several questions about security and open source policies as they relate to security, vulnerability tracking, and responsibilities. We will examine tools usage, with trending data from prior years where applicable. Because the survey was conducted during the Heartbleed and Struts vulnerability disclosures, we can examine the data for important differences between responses, before and after disclosure.
Development Trends and Operations Management: The survey data contains several important questions on development policies around open source management and use. These trends may not have specific security implications, but they impact how teams manage open source and the general quality of their releases. I will discuss trends in open source policy management, licensing, and security testing approaches; as well as where security testing occurs within the development process. I will highlight key takeaways and make recommendations.
Finally, for those of you in security who are not familiar with Sonatype, think Apache Maven and Nexus. Their founder built Maven, which is probably the most widely used build automation tool out there. The company also builds the Nexus repository manager, used by over 40,000 organizations for storing and organizing binary software components, including management of policies for their use and automated health checks for security vulnerabilities.
As the steward of the Central Repository, which handled over 13 billion requests for open source components last year, they are in a unique position to monitor use of open source development components – including version management, license characteristics, update frequencies, and known security vulnerabilities. This perspective helped them formulate the survey and reach the 3,300+ development professionals who participated.
Next week I will cover the report’s security trend analysis. And if you’re interested I will also do a webcast with Brian Fox of Sonatype to discuss the highlights, comparing and contrasting our views on the results. Check it out!
Thanks Adrian, we are looking forward to your independent analysis. At Sonatype we know that folks appreciate a “no spin” approach to data and survey results, and we are very happy to have you leading the analysis following the Securosis Totally Transparent Research policy.
Also, a big thank you to Marco for his comment above. We are honored to be working with you.
By Derek E. Weeks (Sonatype)
That is pretty cool, looking forward to your coverage. As I’m working with Sonatype right now on a couple of things, I can confirm that they know what they are doing and that they are in fact in a pretty unique position to provide insights into open source usage and possible security implications.
By Marco Tietz