It has been reported that open-source software projects continue to struggle with handling sensitive information, according to automated scans of hundreds of millions of commits to code repositories. Driven by increased research into software security, more software under development, companies’ greater openness to vulnerability reporting, and perhaps most of all – improvements to the process of recording vulnerability reports – the number of software security issues published in the National Vulnerability Database rose to the highest recorded level in 2019, surpassing 17,300 issues reported during the year.
Many organisations, not only OSS projects, find it difficult to code with security in mind. Many developers are self-learners or have been trained in school and universities, and use those skills as a hobby, to contribute to OSS project or to pursue their own personal projects. Unfortunately, training programmes and tutorials are often lacking when it comes to stressing the importance of security.
Companies often come to us asking for help to incorporate this important component in their development lifecycles. Training can certainly help to make developers more security aware, but companies should also have mechanisms in place to uncover wrongly coded strings or vulnerabilities that may have been introduced with OSS components. Static Code Analysis tools like Coverity and Software Composition Analysis tools like Black Duck can assist developers in identifying potential risks in the software.
It is essential for flaws to be discovered early in the cycle, which is why there has recently been a push to \”Shift Left,\” and introduce security much earlier in the development lifecycle. This would help set an example that OSS projects would follow, ultimately generating a benefit for the whole OSS ecosystem and for organisations that avail themselves of OSS components.
Schools and training institutions are also responsible for stressing secure programming and avoiding to spread vulnerable procedures.