Compliance & Risks
Open Source Vulnerabilities Converging DevOps & SecOps
Open Source Vulnerabilities can be challenging to the already strained DevOps and SecOps relationship. Learn how increased visibility from the right can help prevent and close the long-standing cultural gap between the teams.
Workplace evolution is in favour of traditional siloes being torn down and replaced with increased cross-functional collaboration, working in lockstep to deliver better outcomes. But it is not as easy as it sounds.
Security and development teams have historically worked in siloes, which has created a long- standing disconnect between them. Both teams are responsible for different aspects of their company’s software, and the competing priorities, coupled with a large communications gap, has resulted in a cultural divide. This problem has been exacerbated by the increased pressure that digital transformation has put on the two teams. DevOps is tasked with pushing out products at accelerating speeds, while SecOps is facing increasingly complex threats and an overload of alerts. The result? Both are grappling with overwhelming workloads.
Although DevOps teams understand the importance of securing their work, it is either an afterthought, or the cause of a delay for which they don’t have time. Security workflows and oversight decrease the further left in the continuous integration and continuous delivery (CI/CD) pipeline you go, making it harder for security teams to identify problems. This is a major issue for the SecOps teams that own cyber risk, and the miscommunication and obscurity is only worsened by misaligned tooling on both sides.
To combat these problems, security needs to be built in by design – not an afterthought.
The Open Source Code Factor
Open source code dominates modern application code. Third-party open source components in particular can rapidly accelerate time-to-market and reduce development costs as they remove the need for writing code from scratch. But it’s also the source of growing cyber risk inside the enterprise. As developers expand their use of open source libraries to take advantage of the flexibility and efficiencies provided, the attack surface has also expanded. However, more often than not, security teams are left in the dark as DevOps teams move quickly to build and launch applications.
As most applications are built using multiple open source libraries, complex component inventories are increasing opacity and risk. Organizations face a significant security risk as open source vulnerabilities have grown 250% over the past three years, according to research from Snyk. What’s worse, 70% of these vulnerabilities come from indirect dependencies, making them even harder to identify and mitigate. To balance against the potential risk, SecOps teams need increased visibility into this unfamiliar and vast ecosystem.
With open source code making up approximately 80% of application code today, visibility for security teams is a major factor in securing an application. Security teams need a solution that not only allows them to identify vulnerabilities, but to also communicate them in a common language that makes it simple for DevOps teams to fix bugs without causing delays or friction.
The First Open Source Security Solution for Security Teams
Trend Micro Cloud One – Open Source Security by Snyk is the first and only solution to approach open source security from the ‘right’ of the CI/CD pipeline and embed protection as early as possible in the development process. By leveraging Snyk’s unique research and expertise on open source vulnerabilities, SecOps teams gain continuous visibility into known risks in their organisation’s development ecosystem and its projects. Through automated prioritisation of critical issues including vulnerability and exploit maturity scores, security teams can monitor and track risks without negatively impacting DevOps teams. This includes understanding how complex dependency paths and transitive vulnerabilities were introduced by exploring the rich curated information and specific easy to understand details on each surfaced vulnerability. The same insight into hidden dependencies may also help organisations better manage licensing risks across projects.
Ultimately, this enables security teams to report with confidence to their CISO, improve the quality of application output and mitigate license challenges. It also bridges the communications gap between DevOps and SecOps by helping create a common language. This allows SecOps to become a part of the conversation and help DevOps teams to fix vulnerabilities at the source-code level, without friction. The result is two unified teams, working together in lockstep to deliver a better product.
Improving the security quality of an application, which traditionally caused setbacks in development time, can now do the exact opposite, and Trend Micro is proud to have taken the first step in bridging this cultural divide.