With low-code applications increasing in popularity along with DevOps, most developers no longer write code. Rather, applications developed today are created mostly by combing various modules and widgets to create a custom application. However, with this feast comes the famine of oversight, particularly around open-source development in solving bugs and vulnerabilities that show up.
These issues are discussed in Sonatype’s latest State of the Software Supply Chain Report, which highlights that only 15.8 percent of open-source software projects actively fix vulnerabilities, resulting in an average mean time to remediation of 233 days. In effect, that gives cybercriminals the better part of a year to exploit a known vulnerability, costing organizations in all areas. Part of this can also be chalked up to IT organizations simply not being efficient yet, even with DevOps best practices in place.
Sonatype’s analysis is based off more than 17,000 applications, based on the downloads of Java and Javascript components. In essence, the need for security and governance is high and only going to get higher as more organizations adopt DevOps through the end of the decade.
But not all news is bad. The good news is that more awareness of DevSecOps issues appears to be having an impact. The report finds the percent of Java components downloaded from the Sonatype Central Repository that contained known security vulnerabilities fell to 5.5 percent (1 in 18), down from 6.1 percent the year prior. Though an increase in downloads is a tough comparison, there’s somewhere to grow from.
In all, the report makes clear that DevOps processes are not being extended far enough to the proverbial left. Instead of focusing on only on the application release cycle organizations need to apply structured processes to the components that are being aggregated together during the application development process. As development moves towards a manufactured approach, it’s only a matter of time before a much greater emphasis gets placed on quality control all the way down that manufacturing line to not only limit liability but also generally improve the overall application experience. We continue to encourage our clients to be vigilant in how they communicate, collaborate, and improve their operations overall.
Get Started on DevOps
Are you looking to master your DevOps processes or get started? Talk to one of our sales specialists today at sales@perficient.com and download our DevOps guide below for additional guidance and best practices.