Development / Security

InfoSec Use of Compliance Tools for Open Source Software

8 Oct 2020 9:27am, by

Stop asking about how to integrate security into the development pipeline and start talking about how open source compliance is utilized by information security professionals.

Security professionals are dissatisfied with how legacy application security software has been utilized by developers. They think if their tools were easier to integrate and more accurate, then developers would be more likely to adopt them, according to WhiteSource Software’s recent survey, which compared answers from over 220 security professionals with those from over 280 software developers, architects and DevOps practitioners.

But ease of integration may not be holding developers back. While 48% of the security respondents thought the ease of integration is the most important feature for developers adopting a specific AppSec tool, only 22% of developers thought likewise. The discrepancy is because a lot of developers don’t think any additional feature would make them more likely to use a tool built for a security pro.

A different way of looking at things is from the developer, architect and DevOps point of view. These job roles often utilize software composition analysis software, which scans for both license compliance, dependencies, and vulnerabilities all at the same time.

In our recent “Open Source in the Enterprise,” almost 500 respondents’ organizations utilized an open source compliance tool or methodology, which indicates open source compliance has been accepted by the enterprise. But it still has a long way to go as only 29% of this group affirmatively agree that the Information Security function accesses data from the automated tools used for open source compliance. Another 37% answered “Don’t know,” indicating a dramatic lack of visibility between groups involved in the so-called DevSecOps ecosystem.

Although based on a considerably smaller sample size, another poll conducted by TNS found information security teams are more likely to utilize dependency scans at companies where DevOps led the selection of a scan tool. Application development teams typically have not led the selection process for scanning tools used in the deployment or release management stage of the CI/CD pipeline. Will that change if developers are in charge again?

Compared to five or ten years ago, it is debatable if developers’ have actually gained additional input or influence into the buying process for IT and software products. However, it is undeniable that developers continue to have an outsize influence on the direction of cloud, data, security, enterprise and many other types of architecture. Sometimes, developer recommendations impact the acquisition of software that will be used company-wide, but often adoption happens gradually, one peer and one department at a time.

Venture capitalist Tyler Jewell has been tracking what he describes as a developer-led landscape of products that are sold directly to, purchase-influenced, or consumed by developers. Of particular interest are the 277 companies he has identified as the developer infrastructure for building the hardware and software to support repeatable software construction. Within this segment are artifact repositories and the Code + Application Security space.

We look forward to providing additional recommendations to Jewell’s list of products and companies. In the meantime, take a look at what our survey respondents’ are using for open source software compliance.

This graphic was updated on October 13, 2020. The title no longer calls attention to the chart’s leaders, and choices with less than 1% were collapsed into the “Other” category.

Participate in The New Stack surveys and be the first to receive the results of our original research.