Close to half (48 percent) of open-source developers surveyed said they believe security must be a priority, but they “don’t have enough time to spend on it.”
Security breaches linked to open source software components have increased by 71 percent over the last five years, reveals a new study by DevOps automation firm Sonatype.
According to the latest edition of DevSecOps Community Survey, 26 per cent of companies reported a confirmed or suspected web application breach in the past year alone.
As part of the survey, over 5,500 IT professionals were asked to give their opinion on today’s open-source projects and the community’s security stance.
Close to half (48 percent) of open-source developers surveyed said they believe security must be a priority, but they “don’t have enough time to spend on it.” This is the same as the previous year, although down from 50 per cent in 2017.
As revealed by the respondents, the primary reason for implementing security across the development lifecycle is for risk management (34.77 per cent) purposes, followed by improving the quality of code (24.75 per cent) and compliance requirements (23.42 per cent).
DevSecOps practices improve cybersecurity capabilities
However, DevSecOps practices are helping companies to bolster their cyber security capabilities. Of the organisations surveyed, 81 percent of those with elite DevSecOps programmes had a cyber security response plan in place, versus 62 percent of those without.
Elite DevSecOps companies are also three times more likely to provide application security training.
The study also found that 62 per cent of respondents with elite programmes have an open source governance programme in place, compared to just 25 per cent of those without DevOps practices.
“At a time when developers are under pressure and unable to find sufficient time to spend on security, the need for automated application security testing becomes even more apparent,” Derek Weeks, vice president and DevOps advocate at Sonatype.
“The DevSecOps community has shown us that elite organizations are performing significantly less manual work, boosting efficiencies, simultaneously helping them to improve their cybersecurity capabilities, and better prepare for security incidents as they arise,” he added.